PureRAT_Spam_Attacks_in_Russia
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- PureRAT_Spam_Attacks_in_Russia
- Date of Scan:
- 2025-05-25
- Impact:
- LOW
- Summary:
- Securelist researchers discovered an increase in attacks against Russian enterprises utilizing the Pure malware family, specifically PureRAT and PureLogs. This campaign has been active since March 2023, and it experienced a fourfold growth in early 2025 compared to the same period in 2024. The campaign, which is distributed via spam emails containing malicious RAR files or links, deceives users by using accounting-related file names and double extensions such as.pdf.rar.
Fake_Zoom_Invites_Steal_Credentials
LOW
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Fake_Zoom_Invites_Steal_Credentials
- Date of Scan:
- 2025-05-24
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have identified a phishing campaign targeting corporate users with fake Zoom meeting invitations designed to steal login credentials. The attackers leverage urgent and legitimate looking emails to lure recipients into clicking malicious links. These links leads to deceptive Zoom pages that include pre-recorded videos making it appears as live meeting is in progress but after a fake disconnection message, it asks users to enter their credentials on a fake screen. Once entered, the stolen information is immediately sent to the attackers through Telegram. The primary objective of this campaign is to steal login credentials which could lead to account takeovers.
W3LL_Phishing_Kit_Hits_Outlook_Users
MEDIUM
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- W3LL_Phishing_Kit_Hits_Outlook_Users
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Hunt.IO have discovered a phishing campaign leveraging the W3LL Phishing Kit to target Microsoft Outlook credentials. This Phishing-as-a-Service (PaaS) tool, initially identified by Group-IB in 2022 and available through the W3LL Store marketplace, enables attackers to conduct adversary-in-the-middle (AiTM) attacks to hijack session cookies and bypass multi-factor authentication. The observed campaign utilized an open directory on IP address to host W3LL phishing kit components, including IonCube obfuscated PHP files in folders named "OV6". The phishing lure involved a fake Adobe Shared File service webpage that, upon attempted login, sent credentials via a POST request, specifically to a /wazzy.php endpoint.
TA406_Targeting_Government_Entities_in_Ukraine
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA406_Targeting_Government_Entities_in_Ukraine
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from ProofPoint have uncovered a phishing campaigns run by DPRK state-sponsored actor TA406 also known as Opal Sleet and Konni targeting government entities in Ukraine. The campaigns focus on credential harvesting and malware deployment to collect intelligence related to the ongoing Russian invasion. The attackers impersonate members of think tank and send fake Microsoft security alerts to trick people into opening malicious files in HTML, CHM, ZIP or LNK formats. These files execute hidden PowerShell script that gathers host data, establishes persistence via autorun batch files and send the data to servers controlled by the attackers.
PyBitmessage_Backdoor_Malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- PyBitmessage_Backdoor_Malware
- Date of Scan:
- 2025-05-23
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a hidden backdoor that installs alongside a Monero cryptocurrency miner which leverages the PyBitmessage library for C2 communications. The initial malware decrypts and deploys both the coinminer and a filess PowerShell based backdoor that executes directly in memory and downloads additional malicious tools from Github or Russian file hosting services. The attacker’s primary motive is to exploit compromised system for cryptocurrency mining while establishing persistent access through the backdoor for potential further attacks.
Koishi_Chatbot_Plugin_Steals_Messages
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Koishi_Chatbot_Plugin_Steals_Messages
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at Socket have discovered a malicious npm package, koishi-plugin-pinhaofa, designed to exfiltrate data from Koishi chatbots. Marketed as a spelling auto-correct helper, the plugin, once installed, silently scans all chatbot messages for any eight-character hexadecimal string. Upon finding such a string, which could represent sensitive data like commit hashes, API tokens, or checksums, the plugin forwards the entire message content to a hardcoded QQ account (UIN: 1821181277) controlled by the threat actor, who uses the npm alias kuminfennel. This exposes any secrets or credentials embedded within or surrounding the trigger string. This activity represents a supply chain attack targeting chatbot frameworks, exploiting the trust developers place in community plugins and the unrestricted access these plugins often have within the bot process.
SEO_Poisoning_Infostealer_Trends
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- SEO_Poisoning_Infostealer_Trends
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ASEC have identified ongoing trends in Infostealer malware spread throughout April 2025, focusing on the continued use of crack and keygen disguises to entice victims. These threats, typically promoted by SEO poisoning to appear at the top of search results, included well-known Infostealers such as LummaC2, Vidar, and StealC.
AutoIT_Based_AsyncRAT_Delivery_Chain
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AutoIT_Based_AsyncRAT_Delivery_Chain
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a malware campaign that delivers a RAT through a dual-layer AutoIT script framework. The first executable downloads an AutoIT interpreter and a second obfuscated AutoIT script that decodes and executes commands using a custom Wales() function. Persistence is enabled using a custom shortcut in the Startup folder that runs JavaScript and initiates further execution. The final payload, injected into a jsc.exe process as a DLL called Urshqbgpm.dll, attempts to communicate with a known AsyncRAT C2 server and includes references to PureHVNC functionality.
Tycoon2FA_Phishing_Using_Malformed_URLs
MEDIUM
+
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Tycoon2FA_Phishing_Using_Malformed_URLs
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- SpiderLabs researchers have identified that Tycoon2FA-linked phishing campaigns are targeting Microsoft 365 users. These campaigns leverage malformed URLs containing backslash characters (https:\\) instead of forward slashes. Despite this unconventional formatting, most web browsers still resolve these links, leading unsuspecting victims to credential harvesting pages. This technique is employed by threat actors to bypass email security filters and evade URL-based detection systems, ultimately aiming to steal Microsoft 365 credentials. The infrastructure observed involves domains hosted on services like Azure and Cloudflare Workers.
Confluence_Hit_by_ELPACO_Ransomware
MEDIUM
+
—
- Intel Source:
- The DFIR Report
- Intel Name:
- Confluence_Hit_by_ELPACO_Ransomware
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- The DFIR Report researchers have observed that an unpatched, internet-facing Confluence server was compromised via CVE-2023-22527, leading to the deployment of ELPACO-team ransomware (a Mimic variant) approximately 62 hours later. The threat actor initially used the exploit to deploy a Metasploit payload and establish C2 via IP. Following initial access, the actor performed privilege escalation using RPCSS named pipe impersonation, created a local administrator account ("noname"), and installed AnyDesk for persistent remote access via a self-hosted server. Extensive discovery, including network scanning with SoftPerfect NetScan and attempted Zerologon exploitation, preceded credential harvesting using Mimikatz and Impacket's Secretsdump. Lateral movement was achieved using the compromised domain administrator credentials via Impacket wmiexec and RDP.
DBatLoader_Targeting_Turkish_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- DBatLoader_Targeting_Turkish_Users
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a phishing campaign targeting Turkish users with malware known as DbatLoader also called ModiLoader. The attackers send phishing emails in the Turkish language, impersonating bank transaction notification which contain a malicious RAR file with BAT script. This initial BAT scripts executes DBatLoader which then leverages a series of obfuscated batch scripts and legitimate Windows tool to hide its activity and bypass security systems to install SnakeKeylogger. This malware steals system information, keyboard input and clipboard data and send stolen data to attackers Telegram’s C2 server.
PyPI_Backdoor_Targets_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Backdoor_Targets_Developers
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have uncovered a malicious Python package called "dbgpkg" on the PyPI repository disguised as debugging tool. Once installed by developers, it deploy a backdoor that allow attackers to execute malicious code and exfiltrate sensitive data. The malware uses Python function wrappers on the requests and socket modules to run its code in the background that downloads a public key from Pastebin and uses a tool called Global Socket Tool to bypass firewalls and connect to the attacker’s server. This campaign is believed to be linked to Phoenix Hyena/DumpForums which has been targeting Russian interests in support of Ukraine since 2022.
FrigidStealer_Malware
LOW
+
—
- Intel Source:
- Wazuh
- Intel Name:
- FrigidStealer_Malware
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Wazuh researchers have uncovered a new information stealing malware named FrigidStealer targeting macOS users since January 2025 and potentially linked to EvilCorp syndicate. It is being distributed through fake browser updates pages on compromised websites, tricking users into downloading a malicious disk image. Upon execution, the malware asks for the user’s password by leveraging a pop-up through apple scripts to bypass the macOS Gatekeeper and then register itself as an application and ensures it runs every time the system starts. FrigidStealer exfiltrates sensitive data including browser credentials, files, system information, and cryptocurrency wallet details and secretly sends it to a remote server using DNS tunneling. It terminates its own process to evade detection.
China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
MEDIUM
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have uncovered that China-nexus state sponsered groups such as UNC5221, UNC5174 and CL-STA-0048 exploitating an unauthenticated file upload vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer.The threat actor leverging remote code execution to deploy malicious webshells, enabling command execution, install additional payloads like KrustyLoader and the SNOWLIGHT RAT. They are targeting government and essential service organizations in the UK, US and Saudi Arabia, aiming to compromise critical infrastructure, exfiltrate sensitive data, and maintain persistent.
PowerShell_Loader_Executes_Remcos_RAT
LOW
+
—
- Intel Source:
- Qualys
- Intel Name:
- PowerShell_Loader_Executes_Remcos_RAT
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Qualys Researchers have identified a new PowerShell based shellcode loader that filelessly loads and executes a variant of Remcos RAT. The attackers deliver this malware inside ZIP that contain malicious LNK files disguised as office document. When user open this file. It triggers an HTA file using mshta.exe which then download and executes obfuscated PowerShell code that runs directly in the system’s memory. It leverages Windows functions to load a Remcos RAT variant known as K-Loader. This variant has extensive capabilities including keylogging, screen capture, clipboard access, UAC bypass, and process hollowing for evasion.
Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- ANY.RUN researchers have analyzed the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, active since August 2023 and targeting Microsoft 365 and Gmail credentials, has demonstrated continuous evolution in its anti-detection mechanisms. This AiTM phishing kit employs a multi-stage attack, starting with obfuscated JavaScript on a landing page, which performs several checks ("nomatch" decoy, domain comparison) before proceeding. It then uses Cloudflare Turnstile CAPTCHA (or other CAPTCHA services like reCAPTCHA and IconCaptcha in later variants) and C2 server queries to validate the user before delivering the core phishing content. Later stages involve further Base64/XOR obfuscation, encrypted payload delivery, and dynamic URL generation for data exfiltration to a C2 infrastructure often using .ru, .es, .su, .com, and .net TLDs. Notable new evasion techniques observed between December 2024 and May 2025 include debugger timing checks, debug environment detection (Selenium, PhantomJS), keystroke interception, context menu blocking, dynamic multimedia loading from legitimate CDNs for victim-tailored lures, invisible JavaScript obfuscation, custom fake page redirects, custom CAPTCHAs, browser fingerprinting, and AES encryption for payload obfuscation.
APT36_and_Hacktivists_Targeting_India
HIGH
+
—
- Intel Source:
- CyberProof
- Intel Name:
- APT36_and_Hacktivists_Targeting_India
- Date of Scan:
- 2025-05-19
- Impact:
- HIGH
- Summary:
- Researchers at CyberProof have observed a surge in cyber-attacks targeting Indian systems, coinciding with heightened geopolitical tensions following a terrorist attack in Baisaran Valley on April 22, 2025. The Pakistan-linked APT36 (Transparent Tribe) has been observed targeting Indian government and defense offices with phishing URLs and their known Crimson RAT, a tool capable of extensive information theft and voice recording. Simultaneously, hacktivist groups including 'Cyber Group HOAX1337', 'IOK Hacker', and 'National Cyber Crew' have reportedly targeted Indian educational institutes. Lures used by APT36 include malicious PDF files and macro-embedded XLSM documents, often themed around official Indian government or military communications, such as those impersonating Jammu & Kashmir Police or the Indian Air Force. One identified PowerPoint (PPAM) file, "Report & Update Regarding Pahalgam Terror Attack.ppam," contained a malicious macro consistent with older APT36 droppers, designed to deploy Crimson RAT.
Ransomware_Hits_Financial_Firms
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Ransomware_Hits_Financial_Firms
- Date of Scan:
- 2025-05-19
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a rise in cyber threats targeting financial institutions in Korea and around the world in April 2025. The research focuses on phishing and malware efforts, providing thorough insights into the top ten malware families and compromised Korean account data circulating on Telegram. A unique occurrence occurred when a threat actor, B_ose, sold over 1,700 stolen credit and debit card details on the Exploit forum, with 80% possibly valid and carrying sensitive information such as CVV numbers and addresses.
Earth_Ammit_Targets_Drone_Supply_Chain
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Earth_Ammit_Targets_Drone_Supply_Chain
- Date of Scan:
- 2025-05-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro have discovered that the Chinese-speaking threat group Earth Ammit undertook two synchronized multi-wave campaigns VENOM and TIDRONE between 2023 and 2024, with the goal of disrupting drone supply chains and compromising high-value targets in Taiwan and South Korea. The VENOM campaign targeted software service providers with open-source tools for stealth and low cost, but the subsequent TIDRONE campaign targeted the military industry with custom-built malware such as CXCLNT and CLNTEND for cyberespionage.
Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
MEDIUM
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- CERT-AGID researchers have identified a large-scale Adwind RAT distribution campaign targeting Italy, Spain, and Portugal, corroborating earlier findings by Fortinet. The attackers employ spear-phishing emails with PDF attachments (Document.pdf, Invoice.pdf) that contain links to cloud storage services like OneDrive or Dropbox. These links lead to the download of an obfuscated VBS or HTML file, which, once deobfuscated, downloads a decoy PDF from Google Drive and, in parallel, a ~90MB ZIP archive from a URL. Unlike previous Adwind campaigns that directly dropped JAR files, this variant delivers a ZIP package containing both the necessary Java environment and the Adwind JAR file disguised as a PNG image (InvoiceXpress.png). This JAR is executed via a CMD script (InvoiceXpress.cmd). The Adwind configuration, encrypted with AES in ECB mode, points to a C2 subdomain on port 4414, consistent with previous Adwind infrastructure.
Technical_Investigation_of_TransferLoader
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Technical_Investigation_of_TransferLoader
- Date of Scan:
- 2025-05-18
- Impact:
- LOW
- Summary:
- Researchers at Zscaler have analyzed a new malware loader named TransferLoader, active since at least February 2025. This loader, observed deploying Morpheus ransomware at an American law firm, contains multiple embedded components: a downloader, a backdoor, and a specialized loader for the backdoor. All components utilize anti-analysis techniques such as PEB debugging checks, dynamic API resolution via hashing, junk code insertion, and runtime string decryption using unique 8-byte XOR keys. The backdoor module communicates with its C2 server via HTTPS or raw TCP, using custom packet structures and a stream cipher for encryption, and notably employs the InterPlanetary File System (IPFS) as a decentralized fallback mechanism for C2 updates. The shared code similarities and evasion methods across TransferLoader components suggest a common developer.
Analysis_of_APT_C_51_Recent_Attacks
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Analysis_of_APT_C_51_Recent_Attacks
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- The 360 Advanced Threat Research Institute reported, that APT-C-51 (also known as APT35, Charming Kitten), an actor motivated by political and economic interests, conducted an espionage campaign targeting the Middle East. The attack, observed around January 2025, initiated with LNK files (Biography of Mr.leehu hacohn.lnk) that, upon execution, released a decoy PDF and a compressed archive (osf.zip). This archive contained multiple DLLs, including the malicious Wow.dll, which performed environment checks and decrypted a gclib file using AES (key: {}nj45kdada0slfk) to obtain a PowerShell script. This script was then executed by new.dll, leading to the deployment of the PowerLess Trojan (version: 3.3.4).
FortiVoice_Zero_Day_RCE_Exploited
LOW
+
—
- Intel Source:
- Truesec
- Intel Name:
- FortiVoice_Zero_Day_RCE_Exploited
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Researchers at Truesec have discovered that CVE-2025-32756, a zero-day stack-based buffer overflow vulnerability in Fortinet products, has been extensively exploited in the field. The vulnerability affects FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamer, allowing remote, unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests with a modified hash cookie.
Ransomware_Groups_Exploiting_SAP_Vulnerability
LOW
+
—
- Intel Source:
- Reliaquest
- Intel Name:
- Ransomware_Groups_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Reliaquest researchers have uncovered that the Russian ransomware group called BianLian and the operators of the RansomEXX also known as Storm-2460 are exploiting the vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer. This vulnerability allows attackers remote code execution to upload and run malicious files without aunthentication. The attackers leverage this vulnerability to upload malicious JSP webshells to gain initial access and then deploy post-exploitation tools like Brute Ratel and Heaven's Gate for command-and-control, evasion and further compromise.
DarkCloud_Stealer
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- DarkCloud_Stealer
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Palo Alto researchers have discovered a new data-stealing malware called DarkCloud Stealer which has been active since 2022. It is distributed primarily through phishing emails that contain malicious RAR file or a PDF designed to trick users into downloading the RAR from a file-sharing site. The archive contains an AutoIt-compiled executable which unpacks and executes the final payload called DarkCloud Stealer. This stealer is capable of harvesting a wide range of sensitive data, including browser and email credentials, FTP details, contact lists, system details and screenshots. It has been targeting multiple industries such as finance, manufacturing, Media and Entertainment and government with a particular focus on U.S. and Brazil.
PyPI_Packages_Targets_Solana_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Packages_Targets_Solana_Developers
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have discovered malicious Python package called solana-token on the PyPI repository. It specifically targets Solana blockchain developers to steal source code and developer secrets. This package masquerading as a legitimate tool for Solana blockchain but secretly sends Python files and their contents to a hardcoded IP address. The solana-token package, downloaded over 600 times and even reused the name of an earlier malicious package before it was removed.
Devices_Hit_by_Stack_Overflow
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Devices_Hit_by_Stack_Overflow
- Date of Scan:
- 2025-05-16
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have discovered a stack-based buffer overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products that could allow a remote unauthenticated attacker to execute arbitrary code or commands using specially crafted HTTP requests. Notably, this vulnerability has been extensively exploited in the wild, specifically targeting FortiVoice devices.
PyInstaller_Malware_on_MacOS_Users
LOW
+
—
- Intel Source:
- Jamf Threat Labs
- Intel Name:
- PyInstaller_Malware_on_MacOS_Users
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Jamf Threat Labs uncovered a new infostealer targeting macOS users. It is delivered through PyInstaller, a legitimate tool that converts Python scripts into Mach-O executable. This technique allow attackers to execute malicious Python payloads without requiring a Python installation on the system which is important because Apple no longer includes Python by default. The malware named stl installer and sosorry leverages fake password prompts to trick users into giving up their credentials. It can also run additional malicious AppleScript commands from a remote server, steal saved passwords and other sensitive information from the macOS Keychain and search for cryptocurrency wallets to exfiltrate private keys.
Mamona_Ransomware
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Mamona_Ransomware
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers from ANY.RUN have uncovered a new ransomware strain called Mamona that first appeared in May 2025 and is believed to be linked to BlackLock affiliates. This ransomware operates offline which means it encrypts files on the victim's system without connecting to a remote server. It encrypts the file with .HAes extension and drops ransom notes (README.HAes.txt) claiming data been stolen. However, no data exfiltration or C2 communication has been observed. The group employs on simple obfuscation technique like delay loops and deletes itself after running to avoid detection. It relies on custom encryption methods instead of standard libraries but decryption tool exists that can recover files. This easy-to-use ransomware lowers the entry barrier for less skilled threat actor to contribute to wider ransomware activities.
Pig_Butchering_Operation
LOW
+
—
- Intel Source:
- Infoblox
- Intel Name:
- Pig_Butchering_Operation
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Infoblox uncovered a cryptocurrency scam named pig butchering operation disguised as a remote job offer that began through a message on Telegram from a fake company called Corner Office Consultants. This fake job involved repetitive online tasks for commissions on a website impersonating the legitimate marketing firm Marble Media. After completing some tasks, they lure victims into depositing cryptocurrency by creating a negative account balance that required topping up to continue working or withdraw supposed earnings. The cybercriminals leverage fake identities using stock photos and later switched to romance scams when the task-based fraud stalled.
Malware_Payload_via_Steganography
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malware_Payload_via_Steganography
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have detailed an instance in April 2025 where malware employed steganography to deliver a secondary payload. An initial .NET executable, identified as belonging to the XWorm family, utilized obfuscated strings and reflective code loading techniques. This initial malware downloaded a PNG image file from a public image hosting service. It then extracted a hidden executable payload embedded within the red pixel channel data of the image's top row. This secondary payload was subsequently loaded reflectively into memory for execution.
Pupkin_Stealer
LOW
+
—
- Intel Source:
- Rixed Labs
- Intel Name:
- Pupkin_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- A recent analysis details Pupkin Stealer, a straightforward .NET-based info-stealer first identified in April 2025. It is likely developed by a Russian-speaking freelancer or novice developer known as "Ardent." Pupkin targets Windows systems, running multiple tasks to steal credentials from Chromium browsers, Discord tokens, active Telegram sessions, specific desktop files (.pdf, .txt, .sql, .jpg, .png), and even desktop screenshots. The malware relies on standard .NET libraries and embeds dependencies using Costura.Fody, which results in high file entropy but lacks advanced evasion techniques or persistence mechanisms. The stolen data is compressed into a ZIP archive and exfiltrated via a hardcoded Telegram bot API, though the exfiltration process has flaws, such as incorrect byte-to-string conversion and improper MIME type handling.
TheWizards_APT_Group_Activity
MEDIUM
+
—
- Intel Source:
- ESET Research
- Intel Name:
- TheWizards_APT_Group_Activity
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers at ESET have observed the activity of TheWizards, a China-aligned APT group active since at least 2022, targeting entities in the Philippines, Cambodia, UAE, mainland China, and Hong Kong. The group employs a sophisticated adversary-in-the-middle (AitM) tool named Spellbinder, which exploits IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing within compromised networks. This technique allows TheWizards to intercept local network traffic, specifically DNS requests for popular Chinese software update domains (e.g., Tencent QQ, Sogou Pinyin), and redirect victims to attacker-controlled servers delivering malicious updates. These updates deploy a downloader, often disguised as a legitimate DLL side-loaded by abused executables, which in turn fetches and executes the modular .NET backdoor, WizardNet.
Iranian_Espionage_via_Fake_Model_Site
LOW
+
—
- Intel Source:
- unit42
- Intel Name:
- Iranian_Espionage_via_Fake_Model_Site
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Unit 42 researchers have found an emerging Iranian cyberespionage operation that used a fake website to pose as a German model agency. The website, which imitates the branding of the firm, uses obfuscated JavaScript to gather comprehensive visitor data, including IP addresses, browser fingerprints, and screen resolutions, most likely in order to facilitate aimed targeting. A bogus profile that has an invalid hyperlink to a private album points to potential spear phishing or other social engineering attack preparations.
Stealerium_Infostealer
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Stealerium_Infostealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Seqrite Labs researchers have uncovered an ongoing campaign targeting U.S. citizens during tax season by taking advantage of the annual tax filing deadline. Threat actors are sending phishing emails containing malicious LNK file disguised as legitimate tax related documents to deceive users into opening them. Once user clicks on the attachment, the LNK file executes hidden PowerShell commands that download and install a data-stealing malware called Stealerium . This malware is designed to steal sensitive information like browser passwords, crypto wallets, chat logs, VPN and Wi-Fi credentials, and other system details.
Chihuahua_Stealer
LOW
+
—
- Intel Source:
- G-Data
- Intel Name:
- Chihuahua_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- GDATA Security researchers have identified a new .NET based malware called Chihuahua Stealer which is capable of stealing sensitive information from compromised systems. It has first emerged in April 2025, spreading through a malicious PowerShell script hidden in a Google Drive document. Once executed, it mainly steals information from web browsers, cryptocurrency wallets and specific user files on the system. The malware leverage scheduled tasks for persistence and downloads additional payloads from backup servers. It compress the stolen data into a zip file with .chihuahua extension using AES-GCM encryption through Windows APIs. The encrypted data is then exfiltrated over HTTPS and malware attempt to delete its traces.
Unveiling_LUMMAC_V2
MEDIUM
+
—
- Intel Source:
- Google Security Operations
- Intel Name:
- Unveiling_LUMMAC_V2
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Google Security Operations have detailed the LUMMAC.V2 (aka Lumma, Lummastealer) infostealer, a C++ rework of the original LUMMAC credential stealer featuring a binary morpher. This malware, often distributed via malicious search results leading to fake CAPTCHA pages ("ClickFix" technique), tricks users into executing PowerShell commands via the Run dialog. The initial PowerShell loader fetches subsequent stages, which Mandiant has observed employing varied execution methods including DLL search order hijacking, process hollowing (targeting BitlockerToGo.exe), and obfuscated AutoIt-based droppers performing anti-analysis checks. LUMMAC.V2 establishes persistence via registry Run keys and targets a wide array of sensitive data including browser credentials, cryptocurrency wallets, password managers, email clients, system details, and screenshots, exfiltrating the stolen information as a ZIP archive over HTTP to Cloudflare-fronted command-and-control servers.
Python_InfoStealer_with_Phishing_Server
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_InfoStealer_with_Phishing_Server
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a Python-based InfoStealer that not only has basic capabilities such as anti-debugging, persistence via registry and scheduled tasks, keylogging, clipboard capture, and periodic snapshots, but also embeds a phishing web server using Flask. The malware sends data encrypted with the Fernet module to a Telegram channel and operates its modules in separate threads to maximize efficiency.
ContagiousInterview_Campaign_Infrastructure
LOW
+
—
- Intel Source:
- Team Cymru
- Intel Name:
- ContagiousInterview_Campaign_Infrastructure
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Team Cymru researchers have disclosed network infrastructure details associated with DPRK-linked actors conducting "ContagiousInterview" campaigns, observed over several years as of April 2025. The threat actors utilize front companies, such as BlockNovas LLC, with associated domains hosted on Russian infrastructure, specifically IP addresses assigned to TransTelecom and InvestStroyTrest. InvestStroyTrest operates a ferry service between Russia and North Korea from Rajin, KP, a service recently highlighted by a captured North Korean soldier, suggesting a potential link between the cyber infrastructure provider and physical logistics supporting DPRK objectives.
Atomic_Stealer_Distributed_as_a_Crack_Program
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Atomic_Stealer_Distributed_as_a_Crack_Program
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the malware campaign in which a macOS information-stealer dubbed Atomic Stealer is being distributed as cracked software such as Evernote. When users visit these malicious sites, their device type is checked where macOS users redirect to the AMOS download page while Windows users are directed to LummaC2 malware. The Amos stealer employs AppleScript and system commands to steal browser data, keychain passwords, cryptocurrency wallet and other sensitive files. Additionally, the malware checks for virtual machine environments before compressing collected data and secretly sends it to the attacker's server via HTTP POST requests.
Nitrogen_Dropping_Cobalt_Strike
MEDIUM
+
—
- Intel Source:
- Nextron Systems
- Intel Name:
- Nitrogen_Dropping_Cobalt_Strike
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Nextron Systems researchers have observed activity by the Nitrogen ransomware group, first detected in September 2024 and expanding from North America to Africa and Europe. This group gains initial access primarily through malvertising campaigns, tricking users searching for legitimate software like WinSCP into downloading trojanized installers from compromised WordPress sites. These installers utilize DLL sideloading ("NitrogenLoader") to execute malicious code, ultimately deploying Cobalt Strike beacons. Nitrogen actors use the compromised host as a pivot point, leveraging Cobalt Strike for lateral movement and post-compromise actions while attempting to cover tracks by clearing Windows event logs.
Pentagon_Stealer
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Pentagon_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ANY.RUN researchers have detailed the emergence and evolution of Pentagon Stealer, an information-stealing malware observed since early March 2024, targeting cryptocurrency assets and user credentials. Initially identified in Golang and Python variants, the malware steals browser data (credentials, cookies), crypto wallet information (Atomic, Exodus), Discord/Telegram tokens, and specific files, communicating stolen data via HTTP POST requests to command and control (C2) servers. Key techniques include launching browsers in debug mode to bypass DPAPI and steal cookies directly, and replacing wallet application files (app.asar) with modified versions to capture mnemonics and passwords. The Python version employs multi-stage, AES-encrypted delivery, while the Golang version appeared later in attack chains involving NSIS installers.
Uncovering_SuperShell_and_CobaltStrike
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Uncovering_SuperShell_and_CobaltStrike
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Hunt.IO researchers have discovered a collection of hacking tools including SuperShell malware and Cobalt Strike beacons that were accessible on the internet. These tools were unintentionally exposed by threat actors while setting up their attack infrastructure. SuperShell is new C2 framework capable of targeting multiple operating systems by using secure SSH connections to control compromised machine. Additionally, the researchers also identified Cobalt Strike beacons using separate infrastructure and deceptive certificates impersonating jQuery to evade detection.
Swan_Vector_APT_Targets_East_Asia
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Swan_Vector_APT_Targets_East_Asia
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers from Seqrite Labs have discovered an innovative cyber-espionage campaign known as Swan Vector that targeted businesses in Taiwan and Japan, notably those in the education and mechanical engineering fields. The attackers use false resumes as decoys to deploy a four-stage malware chain that starts with a malicious LNK file and ends with the execution of Cobalt Strike shellcode. To avoid detection, the campaign use a variety of stealth techniques such as DLL sideloading, API hashing, and direct syscalls, while also exploiting legitimate tools such as RunDLL32.exe.
Scattered_Spider_Hits_UK_Retail
HIGH
+
—
- Intel Source:
- Cyberint
- Intel Name:
- Scattered_Spider_Hits_UK_Retail
- Date of Scan:
- 2025-05-15
- Impact:
- HIGH
- Summary:
- Researchers at Cyberint have discovered that the financially motivated threat group Scattered Spider, also known as Roasting 0ktapus or Scatter Swine, is most likely responsible for recent cyberattacks against UK retail organizations, with the DragonForce ransomware cartel being blamed for the extortion stage. Scattered Spider has been active since 2022, transitioning from targeting telecom and BPO sectors to attacking high--leverage businesses such as retail, particularly during peak seasons. The organization deploys advanced identity-centric approaches, such as social engineering, SMS and Telegram phishing, SIM swapping, and MFA fatigue attacks. They use vulnerabilities such as CVE-2015-2291 and CVE-2021-35464, as well as programs like STONESTOP, POORTRY, and various remote access applications, to disable protections, gain persistence, and exfiltrate data.
Gremlin_Stealer
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Gremlin_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have discovered a new info-stealing malware called Gremlin Stealer that first emerged in March 2025. It is written in C language and capable of stealing sensitive data from Windows systems such as passwords, browser cookies, form inputs and credit card information from popular browsers such as Chrome and Gecko-based browsers. It also targets cryptocurrency wallets like Exodus, MetaMask, Monero), FTP clients (TotalCommander, FileZilla), VPNs, Steam, Telegram and Discord channels. The malware collects system information, takes screenshots, swaps crypto wallet addresses and sends all stolen data in ZIP file to a command-and-control server or via a Telegram. The operation appears to make money both by selling the malware and through the stolen data.
Fake_SSA_Emails_Install_Remote_Access_Tool
MEDIUM
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Fake_SSA_Emails_Install_Remote_Access_Tool
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Malware Bytes researchers have identified a phishing campaign leveraging fake US Social Security Administration (SSA) emails to trick users into installing the legitimate remote access tool such as ScreenConnect. These deceptive emails sent by a group known as Molatori, claim that a Social Security statement is ready for to download but exclusively on Windows PCs. When victims click the link, they unknowingly install ScreenConnect which give attackers full remote access to their systems. This access allows them to execute commands, transfer files, install further malware and exfiltrate sensitive data like banking details and personal identification numbers.
APT36_Spoofs_Indias_Defence_Portal
HIGH
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- APT36_Spoofs_Indias_Defence_Portal
- Date of Scan:
- 2025-05-15
- Impact:
- HIGH
- Summary:
- Hunt.io researchers have identified an attack campaign employing APT36-style ClickFix techniques, observed in March 2025, spoofing India's Ministry of Defence to deliver cross-platform malware. The operation involved cloning the Ministry's press release portal, using attacker-controlled domains mimicking official subdomains, and directing visitors based on their operating system (Windows or Linux) to specific pages designed to facilitate malware execution via clipboard hijacking. Windows users were served an HTA payload via mshta.exe after a spoofed "For Official Use Only" warning, while Linux users were prompted to execute a shell script downloaded from a likely compromised .in domain following a fake CAPTCHA lure.
Gunra_Ransomware_Targeting_Windows
MEDIUM
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Gunra_Ransomware_Targeting_Windows
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers at CYFIRMA have discovered a new ransomware strain called Gunra that mainly targets Windows-based systems in a variety of worldwide industries, including real estate, pharmaceuticals, and manufacturing. Gunra, based on Conti ransomware, uses double-extortion techniques by encrypting files with the ".ENCRT" extension and threatening to expose stolen data over a Tor-hosted page. The malware uses complex tactics such as anti-analysis with the IsDebuggerPresent API, evasion of rule-based detections, obfuscation, and shadow copy deletion via WMI.
Criminals_Targeting_End_of_Life_Routers
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- Criminals_Targeting_End_of_Life_Routers
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- The FBI has issued a cybersecurity advisory about a rise in surge in malicious activity targeting end-of-life (EOL) routers, with a particular focus on outdated Linksys models. Threat actors are exploiting known and unpatchable vulnerabilities commonly found in the built-in remote management software of these unsupported devices. The FBI reports that attackers are deploying malware such as 5Socks and Anyproxy to gain persistent root-level access, effectively converting the compromised routers into botnet infrastructures. These devices are then used to steal sensitive user information like login credentials and financial information to launch DDoS attacks or are sold as proxy nodes to other threat actors.
SPID_Phishing_Campaign
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- SPID_Phishing_Campaign
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- CERT-AGID has identified a phishing campaign targeting SPID users by exploiting the AgID name and logo through a recently registered fake domain. The phishing emails with the subject line “Imminent SPID suspension: mandatory action” urge recipients to click an Update Documentation button that redirect them to a malicious site designed to steal SPID credentials, copies of identity documents and recognition videos.
Operation_ToyBox_Story
HIGH
+
—
- Intel Source:
- Genians Security Center
- Intel Name:
- Operation_ToyBox_Story
- Date of Scan:
- 2025-05-14
- Impact:
- HIGH
- Summary:
- Genians Security Center (GSC) detailed "Operation: ToyBox Story," a March 2025 spear-phishing campaign by the North Korean state-sponsored group APT37 targeting activists focused on North Korea. Using lures disguised as South Korean national security think tank invitations or information on North Korean troops in Russia, the campaign delivered malicious LNK files via Dropbox links within emails. Execution of the LNK file triggers a multi-stage infection chain involving hidden PowerShell commands, shellcode injection, and the deployment of the RokRAT backdoor, which harvests system information and screenshots for exfiltration. APT37 leverages legitimate cloud platforms like Dropbox, pCloud, and Yandex as command-and-control (C2) infrastructure, demonstrating a "Living off Trusted Sites" approach to evade detection. This continued reliance on cloud services and fileless techniques for payload delivery underscores APT37's persistent espionage objectives and presents a significant challenge for signature-based defenses, necessitating robust endpoint detection and response (EDR) capabilities and anomaly hunting to identify and mitigate the threat.
Malicious_PyPI_Package_Targets_Discord_Developers
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Malicious_PyPI_Package_Targets_Discord_Developers
- Date of Scan:
- 2025-05-14
- Impact:
- LOW
- Summary:
- Socket Research Team has discovered a malicious Python package called discordpydebug targeting Discord developers. This package masqueraded as non-malicious tool for logging application errors but actually contained a hidden Remote Access Trojan (RAT). Once installed, it connects to a server controlled by attackers, enabling them the to run commands, read and write files and exfiltrate sensitive data such as tokens and credentials from compromised developer systems .The package was downloaded over 11,000 times before it was taken down.
Horabot_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Horabot_Malware_Campaign
- Date of Scan:
- 2025-05-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have uncovered a malware campaign named Horabot targeting Spanish-speaking users across Latin America. The threat actor leveraging phishing emails masquerading as legitimate invoices, embedding malicious HTML attachments that initiate a multi stage infection chain using VBScript, AutoIt and PowerShell. The malware performs environmental checks to evade antivirus and virtual machines before establishing persistence. Once established, it collects system information, extracts Outlook contacts and steals browser credentials. It also leverages Outlook COM automation to spread laterally by sending phishing emails from compromised accounts, enabling data exfiltration and the deployment of additional banking trojans.
Marbled_Dust
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Marbled_Dust
- Date of Scan:
- 2025-05-13
- Impact:
- HIGH
- Summary:
- Microsoft Threat Intelligence reports that since April 2024, the Türkiye-affiliated espionage actor Marbled Dust has exploited a zero-day directory traversal vulnerability (CVE-2025-27920) in the Output Messenger chat application. The actor targets entities associated with the Kurdish military operating in Iraq, consistent with Marbled Dust's previously observed regional targeting priorities aimed at furthering Turkish government interests. After gaining authenticated access to the Output Messenger Server Manager, potentially via intercepted credentials from DNS hijacking or typo-squatting, Marbled Dust exploits the vulnerability to deploy VBScripts and a GoLang backdoor, enabling command-and-control communication and data exfiltration. This campaign signifies an increase in Marbled Dust's technical sophistication through the use of a zero-day exploit, posing a substantial espionage risk, as compromise grants attackers broad access to sensitive communications and user data within the targeted organization.
Cursor_IDE_Hijacked_via_Malicious_NPM
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Cursor_IDE_Hijacked_via_Malicious_NPM
- Date of Scan:
- 2025-05-13
- Impact:
- LOW
- Summary:
- Socket researchers have identified the discovery of three malicious npm packages (sw-cur, sw-cur1, aiide-cur) targeting macOS developers using the popular Cursor AI code editor. Published by threat actors using aliases gtr2018 and aiide, these packages masqueraded as tools offering a cheap Cursor API, luring developers seeking cost savings. Upon execution, the malware steals Cursor credentials, fetches an AES-encrypted secondary payload from actor-controlled infrastructure, decrypts it, and overwrites the editor's core main.js file, establishing persistent backdoor access within the trusted IDE environment; one variant also disabled auto-updates.
PupkinStealer
LOW
+
—
- Intel Name:
- PupkinStealer
- Date of Scan:
- 2025-05-13
- Impact:
- LOW
- Summary:
- Cyfirma researchers have discovered a new infostealer malware called PupkinStealer that first emerged in April 2025 and linked to be Russian origin named Ardent. This malware is written in .NET and designed to steal sensitive information from Window systems. This infostealer targets saved passwords from browsers like Chrome, Edge and Opera, desktop files, steals session data from Telegram and Discord, and takes screenshots. Once the data is collected then stored in a temporary folder, zipped into a file named with the victim’s username and sent to the attacker using the Telegram Bot API.
WaterPlum_Using_OtterCookie_Malware_New_Features
MEDIUM
+
—
- Intel Source:
- NTT Security
- Intel Name:
- WaterPlum_Using_OtterCookie_Malware_New_Features
- Date of Scan:
- 2025-05-13
- Impact:
- MEDIUM
- Summary:
- NTT Security researchers have observed the continued evolution of OtterCookie malware, utilized by the North Korea-linked threat actor WaterPlum (also known as Famous Chollima or PurpleBravo). OtterCookie, first identified in September 2024, targets financial institutions, cryptocurrency operators, and FinTech companies worldwide. The latest versions, v3 (observed February 2025) and v4 (observed April 2025), introduce enhanced stealer capabilities. Version 3 added an upload module for exfiltrating documents, images, and cryptocurrency-related files from non-Windows environments. Version 4 further expands functionality with two new stealer modules: one decrypts and steals Google Chrome credentials using DPAPI, while another exfiltrates MetaMask, Chrome, Brave browser credentials, and macOS credentials without decryption.
BPFDoor_Linux_Malware_Activity
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- BPFDoor_Linux_Malware_Activity
- Date of Scan:
- 2025-05-12
- Impact:
- MEDIUM
- Summary:
- Researchers at AhnLab have observed the continuous exploitation of the Linux-based backdoor malware BPFDoor in recent hacking attacks, as detailed in a new alert and a related hash notification from KISA. Initially described in an October 2024 ASEC blog article, BPFDoor remains a continuous threat due to its open-source nature, which allows for the ongoing distribution of multiple modified strains.
Chinese_Group_Exploiting_SAP_Vulnerability
MEDIUM
+
—
- Intel Source:
- Forescout
- Intel Name:
- Chinese_Group_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Forescout have observed that CVE-2025-31324, a critical deserialization vulnerability in SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild by a Chinese threat actor tracked as Chaya_004. Exploitation, observed since at least April 29, involves POST requests to the /developmentserver/metadatauploader endpoint to upload web shells, facilitating remote code execution and potential full system takeover. The threat actor's infrastructure includes servers, many hosted on Chinese cloud providers, hosting Supershell backdoors and various Chinese-origin penetration testing tools.
Lumma_Infostealer_GitHub_Campaign
LOW
+
—
- Intel Source:
- Picus Security
- Intel Name:
- Lumma_Infostealer_GitHub_Campaign
- Date of Scan:
- 2025-05-12
- Impact:
- LOW
- Summary:
- Lumma Stealer, an information-stealing malware offered as a Malware-as-a-Service (MaaS) since August 2022, has seen a significant surge in use throughout 2024-2025, with Picus Security reported a 369% increase in infections in late 2024. Financially motivated cybercriminals, including affiliates like the "Stargazer Goblin" group, leverage Lumma Stealer to harvest credentials, banking information, and cryptocurrency wallets. Operators primarily abuse trusted platforms like GitHub for initial access, using spearphishing links in fake issue comments or bogus security team notifications to distribute trojanized installers, often disguised as fixes or legitimate tools. Other tactics include malvertising campaigns leading to fake CAPTCHA pages that trick users into executing malicious PowerShell commands. Lumma employs numerous defense evasion techniques such as "Living off the Land" (using legitimate tools like mshta.exe, PowerShell, WMI), payload encryption, sandbox detection, and process hollowing. Stolen data is typically exfiltrated via HTTP/HTTPS to attacker C2 servers.
Multilayered_Email_Attack
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Multilayered_Email_Attack
- Date of Scan:
- 2025-05-11
- Impact:
- LOW
- Summary:
- FortiGuard researchers have uncovered a multilayered email campaign targeting organizations in Spain, Italy, and Portugal. The attackers are distributing a Java-based RAT called Ratty by sending deceptive PDF invoice attachments via a legitimate Spanish email service provider. When victims open the PDF and click the link inside, they are taken through various steps such as file-sharing services like Dropbox and MediaFire, a fake CAPTCHA page and a hidden server using Ngrok to deliver the malware. The campaign uses smart evasion technique like geo-blocking, so only users in specific countries (Italy) receive the actual malware while others just see a malicious document. Once malware is installed on Windows, Linux, or macOS, it gives attackers full control, allowing them to execute commands, steal files, record keystrokes and even turn on webcams or microphones.
Eye_Pyramid_C2
MEDIUM
+
—
- Intel Source:
- Intrinsec
- Intel Name:
- Eye_Pyramid_C2
- Date of Scan:
- 2025-05-11
- Impact:
- MEDIUM
- Summary:
- Intrinsec researchers discovered that several major ransomware groups such as RansomHub, Rhysida, Vice Society and BlackCat are leveraging same C2 infrastructure based on the open source called Eye Pyramid framework. The investigation began by Analyzing RansomHub’s Python-based backdoor and uncovered a network of connected servers, some hosted on bulletproof services linked through common JSON error message from the Eye Pyramid tool. These threat actors leverage Eye Pyramid for post-compromise activities, including EDR evasion and the in-memory deployment of tools like Cobalt Strike and Sliver which eventually leads to ransomware attacks.
The_Growing_Threat_of_Vishing
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- The_Growing_Threat_of_Vishing
- Date of Scan:
- 2025-05-11
- Impact:
- LOW
- Summary:
- Researchers from Trelix have observed a rise in advanced voice phishing campaign where cybercriminals leverage email attachments to trick people into calling fake support numbers. These cybercriminals impersonate well-known organisations like PayPal and send emails that contain minimal text but include attachments such as PDFs, images and MP4 and WebP files to create urgency. When victims call on fake support numbers, the attackers use social engineering tactics to manipulate victims to share sensitive information such as login credentials and financial details which often leads to unauthorized transactions.
Hunting_Malicious_Desktop_Files
MEDIUM
+
—
- Intel Source:
- Google Cloud
- Intel Name:
- Hunting_Malicious_Desktop_Files
- Date of Scan:
- 2025-05-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Google have observed an evolution in attacks where threat actors infect Linux systems using malicious [.]desktop files. The malicious files are often disguised as shortcuts to documents like PDFs but actually contain hidden code that downloads and executes malware such as cryptominers. When a user opens the legitimate looking files, they secretly execute malicious code in the background. These attacks take advantage of standard Linux desktop features found in environments like XFCE, GNOME, and KDE. This tactic particularly affecting users in India and Australia.
Intrusion_of_Interlock_Ransomware
MEDIUM
+
—
- Intel Source:
- GuidePoint
- Intel Name:
- Intrusion_of_Interlock_Ransomware
- Date of Scan:
- 2025-05-11
- Impact:
- MEDIUM
- Summary:
- Researchers at GuidePoint have uncovered a cyber-attack by interlock ransomware in which attackers trick users into downloading SocGholish malware through fake human verification pop-ups compromised legitimate website. Once initial access is gained, Interlock operators install NetSupportRAT to maintain persistent in the system, perform network scanning, and escalate their privileges using techniques such as hijacking Microsoft 365 sessions and stealing credentials from LastPass. Afterward, the attackers use a renamed version of the AZCopy tool to transfer sensitive data to attackers-controlled cloud storage. Finally, they deploy the Interlock ransomware leveraging tools like PSExec or even Group Policies Object to spread across systems, locking users out and encrypting data.
RedisRaider_Campaign
MEDIUM
+
—
- Intel Source:
- Datadog Security Labs
- Intel Name:
- RedisRaider_Campaign
- Date of Scan:
- 2025-05-10
- Impact:
- MEDIUM
- Summary:
- Researchers from DataDog have identified an advanced Linux cryptojacking campaign that actively exploiting publicly accessible Redis server. The attackers deploy Go-based worm that scan the internet for vulnerable Redis servers. Once a target is found, they abuse legitimate Redis functionality to install scheduled tasks that download and run a customized Monero (XMR) cryptocurrency miner. They also execute web-based Monero miner hosted on their own servers, indicating multiple methods to make money. The malware employs significant obfuscation through tools like Garble and custom payload packing and includes anti-forensics techniques to avoid detection. If the attack is successful, it can slow down affected systems, drain resources and potentially open the door to more serious breaches.
Nitrogen_Ransomware
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Nitrogen_Ransomware
- Date of Scan:
- 2025-05-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Any.Run have uncovered a new ransomware group named Nitrogen Ransomware which has been active since at least September 2024, primarily targeting the financial, construction, manufacturing, and tech sectors in the United States, Canada and the United Kingdom. The group’s modus operandi involves encrypting critical data and demanding ransoms. It leverages various technique such as creating a unique mutex before encryption, exploiting a legitimate but vulnerable driver to disable antivirus and endpoint detection and modifying system setting with the bcdedit.exe to disable Windows Safe Boot and system recovery. Researchers also believe a possible link between Nitrogen and LukaLocker ransomware group based on similar file extensions and ransom notes.
COLDRIVER_Using_LOSTKEYS_Malware
MEDIUM
+
—
- Intel Source:
- Google Cloud
- Intel Name:
- COLDRIVER_Using_LOSTKEYS_Malware
- Date of Scan:
- 2025-05-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Google have discovered a new malware called LOSTKEYS linked to Russian threat actor named COLDRIVER aka UNC4057 and Star Blizzard. Initially, the group focused on stealing credential through phishing emails but now they have incorporated malware to exfiltrate documents and system information from Western governments, NGOs, former diplomats, journalists and individuals linked to Ukraine. The attackers lure victims to a fraudulent website displaying a fake CAPTCHA which instructs them to copy and execute a PowerShell command that initiate a multi-stage process which installs the malware. The final payload executes a VBS scripts that searches for files with specific extensions and directories, stealing them along with system information. The primary goal of COLDRIVER’s operations is to collect the intelligence in support of Russia’s strategic interests.
CoGUI_Phish_Kit_Targeting_Japan
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- CoGUI_Phish_Kit_Targeting_Japan
- Date of Scan:
- 2025-05-10
- Impact:
- MEDIUM
- Summary:
- Researchers at Proofpoint have observed a high-volume phishing campaign leveraging a kit named CoGUI, primarily targeting Japanese organizations since at least October 2024, with activity peaking in January 2025 with over 172 million messages. The CoGUI phishing kit, likely operated by multiple Chinese-speaking threat actors, impersonates well-known consumer and finance brands such as Amazon, PayPay, and Rakuten, with the objective of stealing usernames, passwords, and payment data. It employs advanced evasion techniques including geofencing, header fencing, and browser fingerprinting to selectively target users, primarily in Japan, though less frequent campaigns have targeted Australia, New Zealand, Canada, and the United States. Although similar in some aspects to the Darcula phishing kit, CoGUI is distinct.
Play_Ransomware_Leveraged_Windows_Zero_day
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Leveraged_Windows_Zero_day
- Date of Scan:
- 2025-05-09
- Impact:
- MEDIUM
- Summary:
- Symantec researchers uncovered that attackers linked to Play ransomware group also known as Balloonfly leveraged a zero-day Windows privilege escalation vulnerability (CVE-2025-29824) during attempted attack against a U.S. organisation prior to the vulnerability's disclosure and patching on April 8, 2025. Although, no ransomware payload deployed, the attackers used a custom information-stealer called Grixba along with several hacking tools. They took advantage of a bug in the Common Log File System (CLFS) kernel driver by manipulating system memory, allowing them to steal sensitive data, create an admin account, and delete artifacts. Microsoft reported only a few organizations in the U.S., Venezuela, Spain, and Saudi Arabia were targeted, potentially by multiple actors including Storm-2460 before the patch was released.
Evolving_Malware_via_Dynamic_Modules
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Evolving_Malware_via_Dynamic_Modules
- Date of Scan:
- 2025-05-09
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have noticed a growing trend in malware development in which attackers use "modular" tactics to improve the functionality of their malware only when necessary. This strategy, like on-demand library loading in software development, enables malware to grow its capabilities based on the environment it infects. For example, a malware sample classified as a Discord RAT is programmed to scan a victim's PC for specified targets, such as SAP-related files, before dynamically fetching additional modules from a Command and Control server to expand its reach. This strategy not only minimizes the initial size of the malware, but it also makes it appear less suspicious, allowing it to avoid detection.
Tax_Return_Scam_and_Phishing_Alert
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Tax_Return_Scam_and_Phishing_Alert
- Date of Scan:
- 2025-04-29
- Impact:
- MEDIUM
- Summary:
- In the past four months, numerous newly registered domains with tax return themes have emerged. Unit42 researchers have identified several phishing and scam campaigns exploiting the U.S. tax return season.
Outlaw_A_Crypto_Mining_Botnet
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- Outlaw_A_Crypto_Mining_Botnet
- Date of Scan:
- 2025-04-29
- Impact:
- MEDIUM
- Summary:
- Researchers at Securelist have uncovered a cyberattack by a group called Outlaw also known as Dota. It is a Perl-based crypto mining botnet targeting Linux systems primarily for cryptojacking. The botnet targeted system in the U.S., Brazil, Germany, and several Asian countries by taking advantage of weak SSH credentials on misconfigured accounts like suporte to gain unauthorized access. After gaining access, the attackers used Linux tools like wget and curl to download malicious scripts and compressed files. The malware then removed other cryptominers and installed its customized XMRig to use system’s resources to mine Monero cryptocurrency. The botnet-maintained persistence by modifying SSH keys, disguising itself as legitimate processes and leveraging an IRC-based backdoor for remote access.
CrazyHunter_Targets_Taiwanese_Critical_Sectors
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- CrazyHunter_Targets_Taiwanese_Critical_Sectors
- Date of Scan:
- 2025-04-28
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have discovered a ransomware campaign called CrazyHunter that is actively targeting Taiwan's significant sectors, such as healthcare, education, and industrial enterprises. The group has demonstrated advanced capabilities by using the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security controls and incorporating a diverse set of open-source tools from platforms such as GitHub, including the Prince Ransomware Builder and ZammoCide, accounting for roughly 80% of their toolkit.
Power_Parasites_Scam_Campaign
LOW
+
—
- Intel Source:
- Silent Push
- Intel Name:
- Power_Parasites_Scam_Campaign
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- Silent Push researchers have discovered an ongoing scam campaign known as "Power Parasites," which uses false websites, social media groups, and Telegram channels to carry out bogus job and investment scams. The campaign, which primarily targets individuals in Asian countries such as Bangladesh, Nepal, and India, impersonates large worldwide businesses, particularly those in the energy sector.
KeyPlug_Malware_Exposure
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- KeyPlug_Malware_Exposure
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- Researchers from Hunt.IO have discovered that a briefly exposed server linked to KeyPlug malware infrastructure likely associated with RedGolf/APT41 provided a rare glimpse into active adversary operations. The server, which stayed live for less than 24 hours, included Fortinet firewall and VPN exploit scripts, a PHP-based webshell capable of AES and XOR-decrypted payload execution, and reconnaissance tools targeting authentication, development, and identity portals of a big Japanese corporation.
Stego_Campaign_delivers_AsyncRAT
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- Stego_Campaign_delivers_AsyncRAT
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- Sophos Researchers have discovered a malware campaign where attackers hide malicious code inside images using technique called steganography. The attack begins with phishing emails that trick users into opening MS office document. When opened, it runs a hidden script that download a modified Windows script file which triggers a PowerShell script that secretly downloads an image file containing malicious code. The script which includes DLL files that uses process hollowing technique to load the tool known as AsyncRAT. This tool gives attackers full access over the victim’s system, allowing them to spy on users, log keystrokes, control the desktop remotely and even deploy ransomware.
XLoader_Infostealer_Exploits_Past_Vulnerability
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- XLoader_Infostealer_Exploits_Past_Vulnerability
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- ASEC researchers have uncovered a phishing campaign that distribute the XLoader info-stealer malware through emails disguised as purchase or order confirmations. These emails trick recipients into opening a DOCX attachment that secretly contains a malicious RTF file exploiting a known vulnerability (CVE-2017-11882) in Microsoft’s Equation Editor. When the file is opened, it runs the hidden script that launches the Xloader malware using tool called HorusProtector to inject the malicious payload into a legitimate process.
Targeted_Phishing_Using_PHP_Kits
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Targeted_Phishing_Using_PHP_Kits
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- Hunt.io researchers have discovered an active server-side phishing campaign targeting employee and member portals via a PHP-based phishing kit. Unlike previous approaches, which relied on client-side redirects to validate stolen credentials, the most recent approach performs similar tests server-side, apparently hinder analysis and limit visibility.
Hannibal_Stealer
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Hannibal_Stealer
- Date of Scan:
- 2025-04-28
- Impact:
- LOW
- Summary:
- Cyfirma researchers have identified a data-stealing malware called Hannibal Stealer. This malware first emerged in February 2025 and is an enhanced version of Sharp and TX stealers. The Hannibal Stealer targets web browsers like Chrome and Firefox to extract saved data, cryptocurrency wallets such as MetaMask, Exodus, and Monero and FTP clients like FileZilla and Total Commander. Additionally, It can also hijack clipboard data to steal cryptocurrency transactions, capture VPN credentials, steal Telegram and Discord session data and extract screenshots and specific files from compromise machines.
Track_APT34_Like_Infra_Early
MEDIUM
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Track_APT34_Like_Infra_Early
- Date of Scan:
- 2025-04-28
- Impact:
- MEDIUM
- Summary:
- Hunt.io researchers have identified command-and-control infrastructure exhibiting similarities to APT34 (OilRig) TTPs being staged between November 2024 and April 2025, though currently dormant from a payload perspective. The operators registered domains impersonating an Iraqi academic institute and several fictitious UK-based technology firms (using .eu TLDs), hosted primarily on M247 infrastructure.
RansomHub_Tactics_via_SocGholish
MEDIUM
+
—
- Intel Source:
- Esentire
- Intel Name:
- RansomHub_Tactics_via_SocGholish
- Date of Scan:
- 2025-04-28
- Impact:
- MEDIUM
- Summary:
- Researchers at eSentire have identified a cyberattack in early March 2025 that employed SocGholish (also known as FakeUpdates) malware to capture system information and deliver a ZIP archive with a Python-based backdoor tied to RansomHub affiliates. RansomHub, a Ransomware-as-a-Service (RaaS) group founded in 2024, targets high-profile companies and promotes its services on the RAMP (Russian Anonymous Market Place) forum.
Where_Evasion_Drives_Phishing_Forward
LOW
+
—
- Intel Source:
- Group-IB
- Intel Name:
- Where_Evasion_Drives_Phishing_Forward
- Date of Scan:
- 2025-04-27
- Impact:
- LOW
- Summary:
- Group-IB researchers have uncovered an ongoing, sophisticated SMS phishing (smishing) campaign impersonating a major toll road service provider, primarily targeting users in French-speaking Canada since late 2023. Cybercriminals distribute localized SMS messages, often leveraging misconfigured gateways or A2P platforms, urging victims to pay outstanding fees via links that lead to highly convincing fraudulent websites. These sites are designed to harvest both personal identifiable information (PII) and payment card details. The campaign employs advanced evasion techniques, including multi-layered URL redirection through legitimate services like Google AMP, and incorporates third-party JavaScript libraries such as FingerprintJS for browser fingerprinting to block analysis tools and restrict access only to targeted victims, and Cleave.js for real-time input validation.
How_Tycoon2FA_Phishing_Chooses_Its_Victims
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- How_Tycoon2FA_Phishing_Chooses_Its_Victims
- Date of Scan:
- 2025-04-27
- Impact:
- MEDIUM
- Summary:
- ANY.RUN researchers have analyzed a sophisticated phishing technique employed by the Tycoon2FA threat actor, utilizing geolocation and system fingerprinting to selectively target users in Argentina, Brazil, and the Middle East (UTC-3, UTC+2 to +4 timezones). Observed in April 2025, the attack begins when a user visits a newly registered domain hosted on AS-CHOOPA infrastructure. An initial benign redirect is triggered, but just before it occurs, a hidden image tag executes a fingerprinting script via its onerror event. This script collects system details (screen resolution, user agent, timezone, GPU info) and POSTs them to the server. Only if the fingerprint and geolocation match the attacker's target criteria does the server respond with a redirect to the actual Tycoon2FA phishing page; otherwise, users are sent to legitimate sites like Tesla or Emirates.
LNK_Malware_Targets_Korean_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- LNK_Malware_Targets_Korean_Users
- Date of Scan:
- 2025-04-27
- Impact:
- LOW
- Summary:
- Researchers at ASEC have identified a recent malware campaign distributing malicious LNK files disguised as official notices (e.g., tax bills, sex offender information) to target Korean users for information theft. Upon execution, the LNK file downloads and runs an HTA file, which extracts and executes embedded PowerShell scripts. These scripts perform extensive data collection, targeting browser data (including Naver Whale), cryptocurrency wallets, public certificates (GPKI/NPKI), email files, recent document paths, and implement keylogging and clipboard capturing capabilities. Persistence is established via the Run registry key, and stolen data is compressed and exfiltrated to attacker-controlled servers.
Kimsuky_Deploys_PebbleDash_via_LNK
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Deploys_PebbleDash_via_LNK
- Date of Scan:
- 2025-04-27
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have observed recent campaigns by the Kimsuky group distributing the PebbleDash backdoor, previously associated with Lazarus but now increasingly deployed by Kimsuky against individuals. Observed in March 2025, the attack initiates via spear-phishing emails containing malicious LNK files disguised with double extensions. Executing the LNK triggers a JavaScript file, which launches PowerShell scripts to establish persistence (task scheduler, registry keys) and communicate with C2 infrastructure (Dropbox, TCP sockets). Through this C2, Kimsuky deploys additional tools, including PebbleDash and AsyncRAT for remote control, UAC bypass malware (leveraging the AppInfo ALPC technique from UACMe), and a patched version of termsrv.dll to disable RDP license authentication, allowing unfettered RDP access.
DslogdRAT_Deployed_via_Ivanti_Exploit
LOW
+
—
- Intel Source:
- JPCERT
- Intel Name:
- DslogdRAT_Deployed_via_Ivanti_Exploit
- Date of Scan:
- 2025-04-26
- Impact:
- LOW
- Summary:
- Researchers at JPCERT have identified the installation of DslogdRAT malware and a Perl-based web shell on Ivanti Connect Secure devices in December 2024, leveraging a zero-day vulnerability (CVE-2025-0282) in attacks against Japanese enterprises. The web shell, triggered by a certain cookie value, allowed attackers to run arbitrary commands, which were most likely used to deploy DslogdRAT. This malware employs a multi-process architecture, interacting with its C2 server and carrying out tasks such as file transfer, shell execution, and proxying using encoded socket communications.
Billbug_Targeting_SouthAsian_Countries
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Billbug_Targeting_SouthAsian_Countries
- Date of Scan:
- 2025-04-26
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have uncovered a campaign run by Chinese espionage group known as Billbug also referred as Lotus Blossom, Lotus Panda or Bronze Elgin. This group has emerged in 2009 and is targeting organisations such as government ministry, air traffic control agency, telecom operator and construction company within one country and news agency and an air freight company in neighbouring nations. The attackers abuse legitimate software from Trend Micro and Bitdefender to execute their malware through DLL sideloading. Additionally, they leverage known backdoor, Sagerunex, Zrok tool for remote access and deploy malware like ChromeKatz and CredentialKatz to steal passwords and cookies form Google crome.
North_Korea_Russia_Cybercrime_Nexus
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- North_Korea_Russia_Cybercrime_Nexus
- Date of Scan:
- 2025-04-26
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro have identified that North Korea's cybercrime operations, particularly those associated with the Void Dokkaebi intrusion suite, rely heavily on Russian infrastructure. They discovered various Russian IP address ranges, which are often hidden by VPNs, proxies, and VPS servers, and are regularly utilized by DPRK-aligned actors to execute cyber activities such as crypto wallet brute-forcing, fraudulent job scams, and command-and-control arrangements for Beavertail malware.
Lazarus_Exploits_SK_Software
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Lazarus_Exploits_SK_Software
- Date of Scan:
- 2025-04-26
- Impact:
- LOW
- Summary:
- Researchers from Securelist have discovered a targeted effort by the Lazarus group called "Operation SyncHole," which impacted at least six South Korean firms in the software, IT, finance, semiconductor, and telecom industries. The group together watering hole attacks with exploiting vulnerabilities in local software, such as Cross EX and Innorix Agent.
Malware_Campaign_Potentially_Linked_to_Konni_Group
MEDIUM
+
—
- Intel Source:
- Rixed Labs
- Intel Name:
- Malware_Campaign_Potentially_Linked_to_Konni_Group
- Date of Scan:
- 2025-04-25
- Impact:
- MEDIUM
- Summary:
- An active multi-stage malware campaign, exhibiting strong similarities to the North Korean-linked Konni APT group, was recently analyzed after being distributed via a ZIP archive containing a malicious LNK file. First seen in April 2025, the campaign uses social engineering, disguising the initial LNK file with a Korean filename ("Proposal") and PDF icon to target Korean-speaking users. Execution triggers a complex chain involving obfuscated PowerShell, VBScript, and multiple batch files, which extract payloads hidden within the LNK, establish persistence via the registry, collect directory listings and system information, and ultimately exfiltrate data using RC4-like encryption over HTTPS POST requests.
LAGTOY_Backdoor_Enables_Ransomware
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- LAGTOY_Backdoor_Enables_Ransomware
- Date of Scan:
- 2025-04-25
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos have found a financially motivated Initial Access Broker (IAB) known as "ToyMaker," who collaborates with double extortion gangs. Talos discovered ToyMaker using internet-exposed vulnerabilities to deliver a custom backdoor known as "LAGTOY," which facilitated credential theft, reverse shell creation, and command execution on infected endpoints in a 2023 inquire of a critical infrastructure company.
Emerging_Phishing_Techniques_and_Attack_Vectors
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- Emerging_Phishing_Techniques_and_Attack_Vectors
- Date of Scan:
- 2025-04-25
- Impact:
- MEDIUM
- Summary:
- Intezer researchers have identified several emerging phishing techniques observed in 2025 that successfully bypass traditional email security defenses. Threat actors are increasingly using unconventional methods, including embedding obfuscated, Base64-encoded JavaScript within SVG file attachments, hiding malicious URLs in PDF annotation metadata (invisible in the main text layer), leveraging read-only OneDrive links where malicious URLs are dynamically loaded via JavaScript at runtime, and nesting malicious MHT files containing QR codes within OpenXML (.docx) documents.
MSHTA_2FA_Bypass_on_the_Rise
LOW
+
—
- Intel Source:
- ReliaQuest
- Intel Name:
- MSHTA_2FA_Bypass_on_the_Rise
- Date of Scan:
- 2025-04-24
- Impact:
- LOW
- Summary:
- ReliaQuest researchers have discovered an increase in financially driven cyberattacks between December 2024 and February 2025, including a large increase in VPN brute-forcing efforts, defense evasion via MSHTA exploitation, and internal phishing for lateral movement. Initial access attacks through VPNs, RDP, and VDI grew by 21.3%, with many leveraging weak or compromised credentials.
Phishing_via_Ad_Redirects
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_via_Ad_Redirects
- Date of Scan:
- 2025-04-24
- Impact:
- LOW
- Summary:
- Researchers from ISC SANS have discovered that actively fraudulent advertising URLs continue to thrive in 2025, revealing ongoing flaws in ad platform security. The Internet Storm Center received a recent phishing email that inspired victims through a legal ad infrastructure to a well-known credential harvesting page located on a Dynamic DNS service. Despite obvious signs of fraudulent activity and many sightings of the same phishing effort over a week, the redirect remained active and unblocked.
FOG_Ransomware_Linked_to_DOGE
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- FOG_Ransomware_Linked_to_DOGE
- Date of Scan:
- 2025-04-24
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have identified that the FOG ransomware is actively circulated by attackers purporting to be affiliated with the Department of Government Efficiency. The threat actors are using phishing emails with ZIP files named "Pay Adjustment.zip," which include malicious LNK files that start the ransomware infection. Nine such samples, uploaded to VirusTotal between March 27 and April 2, exhibited characteristics of the FOG ransomware strain, including as binaries with a ".flocked" extension and ransom letters directing victims to spread the malware further.
MS_SQL_Attacks_Using_Ammyy_Admin
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- MS_SQL_Attacks_Using_Ammyy_Admin
- Date of Scan:
- 2025-04-23
- Impact:
- LOW
- Summary:
- Researchers at ASEC have identified attacks targeting poorly managed, publicly accessible MS-SQL servers to install the legitimate remote control tool, Ammyy Admin, for malicious use. Threat actors gain initial access, likely exploiting weak credentials, and execute reconnaissance commands before using wget to download Ammyy Admin (v3.10, an old version with known exploitation methods) alongside the PetitPotato privilege escalation tool. The attackers utilize PetitPotato to create a new user account and enable Remote Desktop Protocol (RDP) access, supplementing the remote control capability provided by Ammyy Admin.
Vidar_Stealer_Abuse_BFInfo_and_Gaming_Platforms
LOW
+
—
- Intel Source:
- G-Data
- Intel Name:
- Vidar_Stealer_Abuse_BFInfo_and_Gaming_Platforms
- Date of Scan:
- 2025-04-23
- Impact:
- LOW
- Summary:
- Researchers from G-Data have observed that Vidar stealer is being distributed through gaming platforms and the Microsoft tool BGInfo. Vidar Stealer is a malware that first emerged in 2018 and is known for stealing sensitive information like browser cookies, saved passwords, and financial data. It operates as MaaS and distributes via phishing emails and malvertising. Researchers identified an incident where a steam game called PirateFi contained Vidar Stealer that compromise users’s system upon installation. Another incident in which attackers leverage infected version of BGInfo where code has been modified to deploy malware when opened.
Malicious_PyPI_Package_Targets_MEXC
LOW
+
—
- Intel Source:
- JFrog
- Intel Name:
- Malicious_PyPI_Package_Targets_MEXC
- Date of Scan:
- 2025-04-23
- Impact:
- LOW
- Summary:
- Researchers at JFrog have identified ccxt-mexc-futures, a malicious Python package on PyPI that mimics the legal and widely used CCXT library in order to steal cryptocurrency trading credentials. The package intends to offer functionality for MEXC futures trading, however it really hijacks API calls relating to order submission and cancellation and redirects them to a malicious server. This redirection allows attackers to harvest API keys and secrets, potentially compromising user accounts on the MEXC exchange.
