Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: ASEC

Intel Name:: Kimsuky_Targets_Academics_via_Phishing_Campaign

Date of Scan:: 2025-06-17

Impact:: MEDIUM

Summary:: ASEC researchers have uncovered a new phishing campaign by North Korean state-sponsored group called Kimsuky targeting professionals by impersonating thesis reviewers. They send phishing emails containing malicious password-protected Hangul Word Processor (HWP) documents. When the victim opens the file and enables content, it drops multiple files into the system’s temporary directory, including a BAT script that initiates a multi-stage infection process. This process installs a PowerShell script that collects system and antivirus data, exfiltrates the data to a Dropbox account controlled by the attackers and downloads additional payloads. The malware also abuses the legitimate remote access software AnyDesk by altering its configuration files with attacker-controlled versions, effectively all visual signs like tray icons and windows are hidden. Additionally, the attackers leverage scheduled task abuse, encoded payloads, and a step-by-step method to stay hidden and maintain access.

Source: https://asec.ahnlab.com/ko/88419/

Intel Source:: ISC.SANS

Intel Name:: Go_Based_SSH_Botnet_Targets_Linux_Systems

Date of Scan:: 2025-06-17

Impact:: LOW

Summary:: Researchers at ISC.SANS have identified a global, automated attack campaign targeting internet-exposed Linux systems with weak SSH credentials. The threat actor, utilizing a Go-based tool, brute-forces access and executes a multi-stage infection to establish persistent control. Observed on April 29, 2025, the attack involves deploying architecture-specific malware variants for ARM and x86 systems, indicating a clear focus on compromising a wide range of devices, including the Internet of Things (IoT) ecosystem. After gaining initial access, the attacker installs an SSH key backdoor and uses the chattr command to make the authorized_keys file immutable, significantly hindering remediation efforts.

Source: https://isc.sans.edu/diary/rss/32024

Intel Source:: Picussecurity

Intel Name:: Katz_Stealer

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers from Picus have uncovered new information-stealing malware-as-a-service (MaaS) that emerged in 2025. The malware is distributed via phishing campaigns and trojanized software. It leverages multi-stage infection chain that includes obfuscated JavaScript droppers, PowerShell loaders and .NET-based UAC bypass techniques. The malware runs entirely in memory, hides inside legitimate Windows processes and uses images to secretly run malicious code. Once inside the system, it targets web browsers like Chrome and Firefox, email accounts, VPN services, file transfer programs and cryptocurrency wallets. Additionally, It takes control of Discord by injecting malicious code that runs every time the app starts, giving attackers remote access to the system.

Source: https://www.picussecurity.com/resource/blog/understanding-katz-stealer-malware-and-its-credential-theft-capabilities

Intel Source:: cloudsek

Intel Name:: Fileless_AsyncRAT_via_Clickfix_Lure

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers at CloudSEK have identified an active fileless malware campaign distributing AsyncRAT to German-speaking users. The attack, ongoing since at least April 2025, begins with a Clickfix-themed website that socially engineers victims into executing a malicious PowerShell command through a fake CAPTCHA prompt. The initial command downloads a second-stage, obfuscated PowerShell script, which then decodes and reflectively loads a C# AsyncRAT payload directly into memory, evading file-based detection. The malware leverages legitimate system utilities like conhost.exe and PowerShell for stealthy execution, establishes persistence via RunOnce registry keys, and communicates with a command-and-control server over TCP port 4444.

Source: https://www.cloudsek.com/blog/fileless-asyncrat-distributed-via-clickfix-technique-targeting-german-speaking-users

Intel Source:: Trend Micro

Intel Name:: Water_Curse_GitHub_Malware_Campaign

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have uncovered a broad supply chain campaign conducted by a financially motivated threat actor tracked as Water Curse, targeting developers, security professionals, and gamers. The actor leverages at least 76 weaponized GitHub repositories to deliver multistage malware. The initial attack vector involves tricking users into downloading and compiling seemingly legitimate open-source tools, where malicious code embedded in Visual Studio project files executes during the build process. This initiates a complex infection chain using VBS and PowerShell scripts to deploy an Electron-based backdoor, which performs privilege escalation through UAC bypass, establishes persistence via scheduled tasks, and disables security defenses like Windows Defender and Volume Shadow Copies.

Source: https://www.trendmicro.com/en_us/research/25/f/water-curse.html

Intel Source:: Resecurity

Intel Name:: APT41_Uses_Google_Calendar_for_C2

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from Resecurity have uncovered that the Chinese state-sponsored threat actor called APT 41 which is involved in both espionage and cybercrime, has launched a new campaign leveraging Google Calendar as a covert C2 channel. The threat actor gains initial access through spear phishing emails containing a ZIP archive disguised as export documentation which includes malicious LNK files and decoy images. Upon execution, a series of malware components - PLUSDROP, PLUSINJECT, and TOUGHPROGRESS activate and run directly in the system’s memory, using process hollowing, and hiding inside legitimate system processes to avoid detection. The final payload TOUGHPROGRESS, communicates with attacker-controlled Google Calendar events to receive commands and sends stolen data back by writing it into new calendar entries. This malware is highly advanced and capable of altering the Windows operating system, which could allow the attackers to take full control of the system and erase traces of their activity.

Source: https://www.resecurity.com/blog/article/apt-41-threat-intelligence-report-and-malware-analysis

Intel Source:: Darktrace

Intel Name:: ClickFix_Social_Engineering_Attack_Chain

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers from Darktrace have observed threat actors, including APT groups like APT28 and MuddyWater, leveraging a social engineering tactic dubbed "ClickFix" to gain initial access and exfiltrate data from organizations. This prolific campaign, observed in early 2025 across EMEA and the United States, targets the human user as the weakest link through phishing or malvertising that directs victims to a fake prompt, such as a CAPTCHA or error message. These prompts trick users into manually executing a malicious PowerShell command, which establishes command and control (C2) communication. This allows attackers to download secondary payloads like XWorm or Lumma, move laterally, and exfiltrate sensitive system information.

Source: https://www.darktrace.com/blog/unpacking-clickfix-darktraces-detection-of-a-prolific-social-engineering-tactic

Intel Source:: Spider Labs

Intel Name:: Mamba2FA_Credential_Harvesting_Campaign

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers at SpiderLabs have identified an active phishing campaign leveraging a Phishing-as-a-Service (PhaaS) kit known as Mamba2FA. The attack begins with a lure themed as a "Secure Document Portal," designed to trick victims into entering their email address to access a purported document. Upon submission, the user is redirected to a counterfeit Microsoft login page for credential harvesting. The use of a PhishKit and PhaaS infrastructure indicates a commoditized and scalable threat, enabling less-skilled actors to deploy effective attacks.

Source: https://x.com/SpiderLabs/status/1932844577355939890

Intel Source:: K7 Labs

Intel Name:: Spectra_Ransomware_Double_Extortion

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from K7 Security Labs have observed Spectra Ransomware, an emerging double-extortion threat targeting Windows-based systems. Attackers demand a $5,000 Bitcoin payment within a 72-hour deadline, threatening to leak stolen data if victims do not comply. The malware achieves persistence by creating a Run registry key and masquerading as svchost.exe in the AppData folder.

Source: https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/

Intel Source:: IBM X-Force

Intel Name:: Hive0131_Targets_Latin_America

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers at IBM X-Force have identified a surge in cyber-attacks involving DCRat across Latin America. These attacks are attributed to the financially motivated threat group Hive0131. The group send phishing emails impersonating Colombian judicial entities to tricks recipient into clicking on malicious links embedding in PDFs and Google Docs to initiate infection chains. These phishing campaigns deliver DCRat, a Malware-as-a-Service (MaaS) tool via obfuscated loaders such as VMDetectLoader which employs virtual machine detection, AMSI bypass and process hollowing to evade detection. The malware is capable of surveillance, data exfiltration, command execution and persistence through scheduled tasks or registry keys. Researchers also observed that the attackers use various methods such as JavaScript and VBScript to distribute the malware. Hive0131 appears to be shifted from traditional RATs like QuasarRAT and NjRAT to more advanced payloads like DCRat which make detection and removal more difficult.

Source: https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page