Headerless_Malware_Uncovered
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Headerless_Malware_Uncovered
- Date of Scan:
- 2025-06-07
- Impact:
- LOW
- Summary:
- FortiGuard researchers have discovered a Remote Access Trojan (RAT) that infected a Windows system and remained active for several weeks without being detected. This malware runs directly in the system memory without a valid PE header which makes it hard for regular security tools to detect. It starts through scripts and PowerShell commands and runs under a process called dllhost.exe. It connects to its C2 server using a secure connection over port 443 and protect stolen data such as system info and JPEG screenshots by encrypting it with a custom XOR method. The malware can capture victim’s screen, receive remote commands and manipulate system services, showing it is designed for deep system access and long-term spying.
ViperSoftX_Variant
LOW
+
—
- Intel Source:
- K7 Security Labs
- Intel Name:
- ViperSoftX_Variant
- Date of Scan:
- 2025-06-07
- Impact:
- LOW
- Summary:
- Researchers from K7 Labs have uncovered the ViperSoftX malware targeting Windows system through cracked software distributed via torrent platforms. The malware is primarily used to deliver information stealers and cryptocurrency hijackers. Upon execution, it leverages hidden PowerShell loader to install and execute second payload disguised as a legitimate DLL. This DLL contains a Lua script engine that runs hidden Lua scripts stored inside an encrypted ZIP file. Its primary objective is to steal personal information and cryptocurrency, especially by watching the clipboard for wallet addresses to hijack.
DuplexSpy_RAT_Target_Window_Users
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- DuplexSpy_RAT_Target_Window_Users
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified a new malware called DuplexSpy RAT that targets Windows systems. It was originally released publicly on GitHub by a user named ISSAC/iss4cfOng for educational purposes but now cybercriminals have been started using it. DuplexSpy allows attackers to fully control infected machine including logging keystrokes, recording screens, turning on webcams and microphones, running remote commands and even moving the mouse. It hides itself by copying files to startup folders, changing registry settings, injecting code into other programs and using encryption to avoid detection. It can also disguise itself as a legitimate Windows update and shuts down security software to stay hidden.
Fake_Zoom_Client_Delivers_RAT
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Fake_Zoom_Client_Delivers_RAT
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a campaign distributing malware through fake Zoom client updates, observed around June 4, 2025. Attackers lure victims with phishing emails containing fake Zoom meeting invitations. Clicking the embedded link directs users to a webpage prompting a Zoom client update, which, if downloaded, delivers an executable ("Session.ClientSetup.exe"). This initial payload acts as a downloader, deploying an MSI package that installs ScreenConnect, a legitimate remote access tool, configured for malicious control by the attackers and establishing persistence as a service. The primary objective appears to be gaining unauthorized remote access to victim systems. This tactic leverages the widespread reliance on collaborative tools, particularly since the shift to remote work, posing a significant risk of unauthorized access and potential follow-on attacks.
Malicious_NPM_Crypto_Wallet_Drainers
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Malicious_NPM_Crypto_Wallet_Drainers
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- Researchers at Socket have identified four malicious npm packages designed to drain Ethereum and BSC cryptocurrency wallets. These packages, created by an actor named @crypto-exploit (registered with a Russian webmail address) between three to four years ago, collectively amassed over 2,100 downloads. The malware, embedded within packages like pancake_uniswap_validators_utils_snipe and env-process, uses obfuscated JavaScript that relies on environment variables for wallet private keys and then attempts to transfer 80-85% of the victim's wallet balance to a threat actor-controlled address. This known tactic aims for stealth and persistence by leaving some funds for gas fees.
Malware_Disguised_as_AI_Tool_Installers
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Malware_Disguised_as_AI_Tool_Installers
- Date of Scan:
- 2025-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco Talos have identified a significant trend where cybercriminals disguise malware as popular AI tools to trick users into downloading them. These fake AI installers are being used to spread three different threats such as CyberLock ransomware, Lucky_Gh0$t ransomware and a newly discovered malware called Numero. The attackers are mainly targeting people and businesses in technology, marketing, and B2B sales. To lure victims, the attackers use tactics like search engine manipulation and fake messages on platforms like Telegram and social media. CyberLock is ransomware that encrypts files and demands $50,000 in Monero, falsely claiming the money supports humanitarian causes. On the other hand, Lucky_Gh0$t is a Yashma ransomware variant, hidden in a fake ChatGPT installer and uses Microsoft AI tools to look legitimate and avoid detection. The third threat, Numero is a destructive malware that disguised as an AI video creation tool but makes Windows systems disable by replacing text and buttons with random numbers.
Lazarus_Stealer_Targets_Professionals
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Lazarus_Stealer_Targets_Professionals
- Date of Scan:
- 2025-06-05
- Impact:
- LOW
- Summary:
- Researchers at ANY.RUN have found OtterCookie, a new JavaScript-based stealer malware attributed to the North Korean Lazarus Group, targeting finance and technology professionals. First observed in a campaign around June 2025, attackers employ social engineering, often through fake job offers or freelance bug fix tasks on platforms like LinkedIn, to deliver what appears to be legitimate Node.js code hosted in a Bitbucket repository. The malware's novelty lies in its execution method: an intentionally flawed piece of code triggers an error handler that fetches and executes a heavily obfuscated JavaScript payload from an external API, reportedly hosted in Finland.
AI_Tool_Misconfig_Exploited_for_Malicious_Payload
MEDIUM
+
—
- Intel Source:
- Sysdig
- Intel Name:
- AI_Tool_Misconfig_Exploited_for_Malicious_Payload
- Date of Scan:
- 2025-06-05
- Impact:
- MEDIUM
- Summary:
- The Sysdig Threat Research Team have reported an incident where a threat actor exploited a misconfigured, internet-exposed Open WebUI instance to deploy an AI-generated Python payload. This payload targeted both Linux and Windows systems, downloading T-Rex and XMRig cryptominers for Monero and Kawpow, establishing persistence via systemd services, and using a Discord webhook for C2. The financially motivated attack leveraged uncommon defense evasion tools like processhider and argvhider (an LD_PRELOAD technique to hide process arguments) on Linux. The Windows variant was more sophisticated, deploying a Java-based loader (application-ref.jar) which in turn executed secondary malicious JARs containing infostealers targeting Chrome extensions and Discord tokens, and employed multiple DLLs for XOR decoding and sandbox evasion.
HuluCaptcha_CAPTCHA_Deploys_Malware
LOW
+
—
- Intel Source:
- Gi7w0rm (Medium)
- Intel Name:
- HuluCaptcha_CAPTCHA_Deploys_Malware
- Date of Scan:
- 2025-06-04
- Impact:
- LOW
- Summary:
- Researchers from Gi7w0rm have uncovered a new malicious campaign called HuluCaptcha which uses fake CAPTCHA pages to distribute malware such as Lumma Stealer, Aurotun Stealer and Donut Injector. The attackers are compromising legitimate websites such as the German Association for International Law and the Los Angeles Caregiver Resource Center by injecting malicious JavaScript that redirects users to fake CAPTCHA screens designed to resemble Cloudflare. These deceptive pages trick users into executing malicious commands via the Windows Run dialog which installs malware. The campaign also includes tools for victim tracking, customized PowerShell payload generation and indications of an affiliate tracking system aimed at scaling the operation.
APT_28_Targeting_Western_Logistics_and_Technology_Entities
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- APT_28_Targeting_Western_Logistics_and_Technology_Entities
- Date of Scan:
- 2025-06-03
- Impact:
- MEDIUM
- Summary:
- A Joint advisory has been issued by CISA, NSA, FBI and international partners warns warns that the GRU’s Unit 26165 also known as APT28 or Fancy Bear has been conducting a long-running cyber espionage campaign targeting Western logistics and technology companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The threat actor employs multiple tactics and technique to gain initial access including password spraying, spearphishing, exploiting vulnerabilities (like Outlook, Roundcube, and WinRAR) and abusing SOHO devices and VPNs. More recently, they have expanded their activity to include targeting internet-connected cameras at Ukraine and bordering NATO countries to monitor aid shipments. Once inside a system, the threat actor conduct reconnaissance and often use tools like Impacket, PsExec, Certipy, and ADExplorer for lateral movement and data exfiltration, focusing on sensitive information related to aid shipments.
JINX_0132_DevOps_Cryptojacking_Campaign
LOW
+
—
- Intel Source:
- Wiz.io
- Intel Name:
- JINX_0132_DevOps_Cryptojacking_Campaign
- Date of Scan:
- 2025-06-03
- Impact:
- LOW
- Summary:
- Researchers at Wiz have identified a widespread cryptojacking campaign, attributed to the threat actor JINX-0132, targeting publicly accessible and misconfigured DevOps tools such as HashiCorp Nomad, Consul, Docker API, and Gitea, including instances in major cloud environments. Active as of June 2025, JINX-0132 exploits known vulnerabilities and insecure default settings—like Nomad's job creation or Consul's health checks—to achieve remote code execution and deploy the XMRig Monero miner for financial gain.
ViperSoftX_Targeting_Cryptocurrency_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ViperSoftX_Targeting_Cryptocurrency_Users
- Date of Scan:
- 2025-06-03
- Impact:
- LOW
- Summary:
- ASEC researchers have observed the ViperSoftX threat actor targeting cryptocurrency users across the globe with recent attacks in Korea. This multi-stage malware campaign has been active for several years, aiming for financial gain by stealing cryptocurrency-related information and hijacking transactions. ViperSoftX gains initial access through pirated software or malicious torrents files. Once inside a system, it establishes persistence via scheduled tasks and obfuscated PowerShell scripts. The malware then deploys malicious tools including downloaders, information stealers like TesseractStealer, clipboard manipulators (ClipBanker) to change wallet addresses and RATs such as Quasar RAT and PureHVNC, communicating with C2 servers over HTTP and DNS. It can also monitor clipboard activity for cryptocurrency wallet addresses and BIP39 recovery phrases, exfiltrating browser data and system information and executing arbitrary commands from the attacker.
NightSpire_Ransomware
MEDIUM
+
—
- Intel Source:
- SOC Radar
- Intel Name:
- NightSpire_Ransomware
- Date of Scan:
- 2025-06-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Soc Radar have uncovered a new financially motivated ransomware group called NightSpire that emerged in early 2025. The group employ a double extortion technique in which they steal sensitive data from victims and threaten to publish it on their data leak site if the ransom is not paid. NightSpire primarily targets small to medium-sized organisation including Technology, IT Services, Financial Services, Manufacturing, Construction, Education and Healthcare sectors across the U.S., Taiwan, Hong Kong, Egypt and several European nations. The group gain initial access by exploiting known vulnerabilities in VPNs, firewalls, or outdated web servers. Once inside, they use legitimate system tools such as PowerShell or PsExec to move laterally, steal credentials and escalate privileges. Before deploying ransomware, they exfiltrate data to attacker-controlled servers using tools like Rclone or MEGA. NightSpire leverages secure channels like ProtonMail or Telegram to communicates with victims.
Lazarus_Targeting_Crypto_via_Phishing
MEDIUM
+
—
- Intel Source:
- BitMEX
- Intel Name:
- Lazarus_Targeting_Crypto_via_Phishing
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- BitMEX researchers have analyzed the Lazarus Group, linked to the North Korean government, continues its financially motivated campaigns against the cryptocurrency sector. Threat actors employ initial phishing and social engineering, such as recent LinkedIn pretexts for fake web3 project collaborations, to trick victims into executing malicious code often hosted in private GitHub repositories. This initial payload, as detailed by BitMEX, exfiltrates victim metadata to a misconfigured Supabase instance and deploys a second-stage JavaScript credential stealer, resembling "BeaverTail," aimed at pilfering browser data and cryptocurrency wallet access.
APT_C_53_Military_Themed_LNK_Attacks
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APT_C_53_Military_Themed_LNK_Attacks
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- The 360 Advanced Threat Research Institute have recently captured VBScript samples attributed to APT-C-53 (Gamaredon), an advanced persistent threat group active since 2013 known for targeting government and military entities for intelligence theft. This campaign employs highly obfuscated VBS scripts and malicious LNK shortcut files, using military intelligence themes as bait to entice users into executing payloads via social engineering. The attackers utilize a phased deployment mechanism, achieving persistence through infected user files, registry modifications, and scheduled tasks, ultimately aiming to exfiltrate sensitive information. Forged HTTP request headers, including User-Agent and Referer fields referencing Ukrainian government domains, are used for command-and-control communication, which involves Base64 encoded data.
Lyrix_Ransomware_Targeting_Windows
MEDIUM
+
—
- Intel Source:
- CYFIRMA
- Intel Name:
- Lyrix_Ransomware_Targeting_Windows
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- CYFIRMA researchers have identified Lyrix Ransomware, a Python-based malware compiled with PyInstaller, targeting Windows operating systems. First observed on April 20, 2025, Lyrix employs strong AES encryption, appends a '.02dq34jROu' extension to encrypted files, and utilizes advanced evasion techniques such as anti-VM checks (via VirtualProtect) and process manipulation (GetCurrentProcess, TerminateProcess). The financially motivated attackers issue ransom demands, threaten to leak stolen data from user directories like Downloads and Documents, and attempt to cripple system recovery by deleting Volume Shadow Copies and disabling WinRE. The malware's discovery on underground forums and the ProtonMail contact address creation in April 2025 indicate recent actor activity.
New_AsyncRAT_Campaign_Targets_Italian_Users
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- New_AsyncRAT_Campaign_Targets_Italian_Users
- Date of Scan:
- 2025-06-01
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have uncovered a phishing campaign targeting users in Italy leveraging AsyncRAT malware. The attack starts with an English-language email impersonating the legitimate company Arabian Construction Co claiming the recipient is being considered as a potential supplier and invites them to view a file. However, Instead of an attachment, the email includes a Box.com link to download a TAR file containing a hidden JavaScript file. When executed, the script runs PowerShell to download a DLL from Aruba Drive. The DLL checks if it is running in a virtual machine then downloads and executes AsyncRAT. This malware allows attackers to take control of infected machines, steal data and run commands remotely.
Void_Blizzard_Espionage_Targets_Critical_Sectors
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Void_Blizzard_Espionage_Targets_Critical_Sectors
- Date of Scan:
- 2025-06-01
- Impact:
- HIGH
- Summary:
- Microsoft researchers have have disclosed details Void Blizzard (also LAUNDRY BEAR), a Russia-affiliated actor active since at least April 2024, conducting cyberespionage operations against organizations crucial to Russian government objectives, primarily in Europe and North America. Targets include government, defense, transportation, media, NGOs, and healthcare sectors, with a disproportionate focus on NATO member states and Ukraine. Void Blizzard initially gained access by using stolen credentials, likely procured from infostealer ecosystems, to access Exchange and SharePoint Online for large-scale email and file exfiltration. As of April 2025, the actor evolved tactics to include adversary-in-the-middle (AitM) spear phishing, using typosquatted domains and the Evilginx framework to spoof Microsoft Entra authentication and steal credentials and session cookies.
DragonForce_Exploits_SimpleHelp_for_MSP_Attacks
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- DragonForce_Exploits_SimpleHelp_for_MSP_Attacks
- Date of Scan:
- 2025-06-01
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have uncovered that DragonForce ransomware operators are exploiting a chain of vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) in SimpleHelp remote monitoring and management (RMM) software, released in January 2025. The attackers target Managed Service Providers (MSPs) to gain access to their environments and those of their clients. In one investigated case, the threat actors compromised an MSP’s SimpleHelp instance, mapped connected customer environments, and deployed DragonForce ransomware across multiple systems. They also exfiltrated sensitive data to enable double extortion tactics. Active since mid-2023, DragonForce operates as a Ransomware-as-a-Service (RaaS) platform with a growing affiliate base, including members linked to groups like Scattered Spider, presenting a serious supply chain threat to organizations reliant on MSPs.
MSHTA_LOLBin_Delivers_Obfuscated_Infostealer
MEDIUM
+
—
- Intel Source:
- LevelBlue
- Intel Name:
- MSHTA_LOLBin_Delivers_Obfuscated_Infostealer
- Date of Scan:
- 2025-05-31
- Impact:
- MEDIUM
- Summary:
- According to LevelBlue's analysis, published May 27, 2025, details an emerging threat involving multi-stage malware delivery initiated by mshta.exe, a native Windows LOLBin. Attackers leverage MSHTA to fetch an initially disguised .tmp file, hosted on cloud infrastructure like Alibaba Cloud Object Storage, which contains heavily obfuscated VBScript. This script employs techniques like XOR and Base64 encoding to deobfuscate and execute subsequent PowerShell payloads via WMI, ultimately leading to the deployment of a sophisticated infostealer.
Fake_Agenzia_Entrate_Refund_Scam
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Fake_Agenzia_Entrate_Refund_Scam
- Date of Scan:
- 2025-05-31
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have uncovered a phishing campaign impersonating Italy’s Revenue Agency (Agenzia delle Entrate), in which threat actors distribute fake refund emails to trick recipients into entering personal and credit card information on a fraudulent website. The Ministry of Economy and Finance (MEF) has been notified, and efforts are underway to take down the malicious domain.
Stealthy_WooCommerce_Formjacking_Malware
LOW
+
—
- Intel Source:
- Wordfence
- Intel Name:
- Stealthy_WooCommerce_Formjacking_Malware
- Date of Scan:
- 2025-05-31
- Impact:
- LOW
- Summary:
- The Wordfence researchers have identified a sophisticated formjacking malware targeting e-commerce sites using WooCommerce. Active since at least April 2025, this malware injects a convincing, fake payment form into the checkout process to steal sensitive customer data, including full card details and personal information. Attackers achieve initial access likely through compromised WordPress administrator accounts, then inject the malicious JavaScript via custom code plugins. The malware stealthily captures data by continuously monitoring billing fields and storing it in the browser's localStorage for persistence across sessions and resilience against network interruptions. Upon the customer clicking "Place Order," the script exfiltrates the collected data to a remote command-and-control server using the navigator.sendBeacon() method, which avoids user awareness and common detection triggers.
ALCATRAZ_Obfuscated_DOUBLELOADER_Backdoor
MEDIUM
+
—
- Intel Source:
- Elastic Security Labs
- Intel Name:
- ALCATRAZ_Obfuscated_DOUBLELOADER_Backdoor
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Elastic Security Labs have discovered DOUBLELOADER, a newly identified backdoor malware often found in conjunction with the RHADAMANTHYS infostealer. This malware duo is notably protected by the ALCATRAZ open-source obfuscator, which has been in use since January 2023 by both cybercriminal groups and APT actors. DOUBLELOADER has been active since at least December 2024 and leverages ALCATRAZ to complicate binary analysis and extend its operational lifespan. DOUBLELOADER performs direct system calls for tasks such as injecting code into the explorer.exe process, gathering host system information, and communicating with a hardcoded command-and-control server for updates. The ALCATRAZ obfuscator enhances evasion by applying multiple layers of protection, including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly techniques, and entrypoint obfuscation. These obfuscation methods are frequently embedded within a custom PE section named .0Dev.
Mimo_Exploits_Craft_CMS_for_Cryptomining
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- Mimo_Exploits_Craft_CMS_for_Cryptomining
- Date of Scan:
- 2025-05-30
- Impact:
- LOW
- Summary:
- Researchers at Sekoia have identified a group called Mimo that has been active since at least March 2022, exploiting a newly disclosed vulnerability (CVE-2025-32432) in the Craft content management system to break into servers. After gaining access, the attackers, believed to be based in Turkey install a backdoor that allows remote access to a compromised server and run a script named 4l4md4r.sh to download a program written in Go language. This program installs both a cryptominers called XMRig and a tool called IPRoyal, used to exploit the victim's internet bandwidth. They also use advanced techniques like LD_PRELOAD hijacking which helps hide their malicious activity on the system.
Fancy_Bear_SpyPress_XSS_Campaign
MEDIUM
+
—
- Intel Source:
- PolySwarm
- Intel Name:
- Fancy_Bear_SpyPress_XSS_Campaign
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- PolySwarm researchers have uncovered Operation RoundPress, an ongoing cyberespionage campaign attributed to the Russia-aligned threat group Fancy Bear, active since 2023 and expanding through 2024. The operation leverages SpyPress, a malicious JavaScript payload delivered through spearphishing emails that exploit cross-site scripting (XSS) vulnerabilities, including zero-days like CVE-2024-11182 in MDaemon—within webmail platforms such as Roundcube, Horde, and Zimbra. The campaign primarily targets Ukrainian government agencies, Eastern European defense contractors, and government organizations across Africa, the EU, and South America.
Leverage_Maha_Grass_Tools_via_Brain_Worm_Infra
MEDIUM
+
—
- Intel Source:
- Qianxin Threat Intelligence Center
- Intel Name:
- Leverage_Maha_Grass_Tools_via_Brain_Worm_Infra
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Qianxin have uncovered substantial overlaps in infrastructure and tooling between two advanced persistent threat (APT) groups: Maha Grass (APT-Q-36) and Brain Worm (APT-Q-38). Both groups are active in cyber espionage operations targeting organizations across South Asia and the broader Asian region. Since late February 2025, Brain Worm has been observed using a malware-hosting domain that was also recently associated with a Spyder downloader variant deployed by Maha Grass. A notable connection between the two groups is the use of the same digital signature "Ebo Sky Tech Inc" on malware samples, but applied on different dates: January 28 for Brain Worm and February 16 for Maha Grass. Both groups rely on spear-phishing attacks using malicious PowerPoint files embedded with VBA macros. These macros deliver an initial payload that subsequently downloads additional components, including DLL files and the Spyder downloader. The Spyder variant employed by both APTs features XOR-encrypted configurations, establishes persistence via scheduled tasks, remaps system DLLs, and exfiltrates data using Base64-encoded JSON payloads embedded in custom HTTP headers. To evade detection, the malware disguises its command-and-control (C2) traffic as legitimate network communication, spoofing well-known services such as GitHub.
Chihuahua_Infostealer
LOW
+
—
- Intel Source:
- Picussecurity
- Intel Name:
- Chihuahua_Infostealer
- Date of Scan:
- 2025-05-29
- Impact:
- LOW
- Summary:
- Researchers at Picus Security have uncovered a .NET-based malware called Chihuahua Infostealer which emerged in April 2025 and targets browser credentials and cryptocurrency wallet data. The malware, likely created by Russian-speaking developers begins with social engineering that tricks victims into executing a malicious PowerShell script often delivered through trusted platforms like Google Drive. This script starts a multi-stage infection chain involving a Base64-encoded payload, followed by second-stage script that sets up scheduled task for persistence and further payload execution. The final .NET payload downloaded from OneDrive which runs directly in memory to evade detection. The infection chain steal data from various browsers and cryptocurrency wallet. The stolen data is encrypted and exfiltrated over HTTPS, while local evidence of the attack is erased.
Operation_Endgame_2_0
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Operation_Endgame_2_0
- Date of Scan:
- 2025-05-29
- Impact:
- MEDIUM
- Summary:
- Zscaler researchers have observed that law enforcement agencies have released information about an ongoing coordinated effort under “Operation Endgame”, a Joint campaign aimed at seizing and taking down DanaBot infrastructure, primarily within the United States. This operations has already disrupted several malware families like SmokeLoader, IcedID, Pikabot, and Bumblebee, and now includes actions against DanaBot. It is sold on underground forums as a Malware-as-a-Service (MaaS). Its primary functions include stealing sensitive data, injecting malicious content into web browsers and deploying additional malware such as ransomware and remote access trojans. Notably, DanaBot can capture keystrokes, take screenshots, record the screen, and even access the victim’s system remotely. DanaBot's communications with C2 servers use strong encryption and utilize Tor to anonymize and secure these connections.
Danabot_MaaS_Disruption_and_Analysis
MEDIUM
+
—
- Intel Source:
- ESET Research
- Intel Name:
- Danabot_MaaS_Disruption_and_Analysis
- Date of Scan:
- 2025-05-29
- Impact:
- MEDIUM
- Summary:
- According to ESET Research, the Danabot Malware-as-a-Service (MaaS) operation, an infostealer and banking trojan active since 2018, recently disrupted by a multinational law enforcement effort, Operation Endgame, in May 2025. The Danabot group, including individuals identified as JimmBee and Onix, provided affiliates with tools to steal financial data, deploy secondary malware like ransomware, and conduct DDoS attacks against global victims, with early campaigns targeting Australia and Poland. Attackers distributed Danabot via spam, malicious Google Ads, and deceptive websites tricking users into executing malware on Windows systems.
TAG_110_Targets_Tajikistan_Entities
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- TAG_110_Targets_Tajikistan_Entities
- Date of Scan:
- 2025-05-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Insikt group has uncovered a phishing campaign conducted by Russian threat actor TAG-110, targeting government, educational, and research institutions in Tajikistan. In this campaign, threat actor has changed tactics by leveraging macro-enabled Word template files (.dotm) to gain initial access and persistence insteal of deploying HTA-based payload named HATVIBE. These VBA enabled templates are embedded within government themed documents. When receiptent open the document, the malware copies itself to the Word STARTUP folder, allowing it to run automatically every time Word is opened. It collects system information and send it to C2 server. This campaign focused on intelligence gathering related to government operations, military affairs, and political events such as elections to support Russian strategic interests in Central Asia.
Chinese_Threat_Actor_Exploiting_Ivanti_EMM_Vulnerability
MEDIUM
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Chinese_Threat_Actor_Exploiting_Ivanti_EMM_Vulnerability
- Date of Scan:
- 2025-05-28
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researcher have identified that China-nexus threat actor called UNC5221 is actively exploiting two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2025-4427 and CVE-2025-4428). The attackers are targeting internet-facing EPMM systems across critical sectors in Europe, North America, and the Asia-Pacific. They gain initial access through an unauthenticated remote code execution using Java Reflection to execute commands. Post-exploitation, they deploy the KrustyLoader malware which downloads a hidden second-stage payload from AWS storage. This malware decrypts and injects itself directly into system memory to maintain long-term access. The threat actors then leverage MySQL credentials to access the EPMM database and exfiltrating sensitive data including authentication credentials, device details and Office 365 tokens. They also use a tool called FRP (Fast Reverse Proxy) for network reconnaissance and lateral movement.
Operation_Sindoor
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_Sindoor
- Date of Scan:
- 2025-05-28
- Impact:
- LOW
- Summary:
- Researchers from Seqrite Labs have uncovered multiple cyber attack linked to Operation Sindoor, involving both State sponsored group and hacktivist group. The campaign is associated with Pakistan-aligned threat groups APT36 and Sidecopy and targeted critical Indian sectors such as defense, government IT systems, healthcare, telecom, and education. It involved spear phishing with malicious documents (macros, shortcuts, scripts) that deployed the Ares malware for espionage while hacktivist groups launched DDoS attacks, defaced websites, and leaked stolen data. The operation also leveraged spoofed domains mimicking military and government entities to spread false information and cause disruption.
APT_Spear_Phishing_Surge_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- APT_Spear_Phishing_Surge_in_Korea
- Date of Scan:
- 2025-05-27
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered an increase in Advanced Persistent Threat (APT) attacks in South Korea during April 2025, with spear phishing identified as the most common infiltration method. Targeted phishing attacks use thorough reconnaissance, spoofed sender addresses, and malware attachments or links to trick receivers. AhnLab identified a particular variation involving LNK files, in which attackers distributed CAB-compressed malicious scripts encoded in LNK files carrying PowerShell commands. When launched, these scripts can extract fake documents, leak system information, and install other malware on the victim's computer.
Amos_Stealer_Targeting_macOS_Users
LOW
+
—
- Intel Source:
- motuariki (X)
- Intel Name:
- Amos_Stealer_Targeting_macOS_Users
- Date of Scan:
- 2025-05-27
- Impact:
- LOW
- Summary:
- Security researcher motuariki have disclosed additional Command and Control (C2) infrastructure and sample hashes associated with the Amos Stealer, a known macOS malware. The shared C2 endpoint was listed alongside other similar IP-based C2s. This ongoing activity signifies a persistent threat from Amos Stealer targeting macOS users for credential and data theft.
Bumblebee_Spread_via_Bing_SEO_Poisoning
MEDIUM
+
—
- Intel Source:
- CYJAX
- Intel Name:
- Bumblebee_Spread_via_Bing_SEO_Poisoning
- Date of Scan:
- 2025-05-26
- Impact:
- MEDIUM
- Summary:
- Cyjax researchers have identified a new Bumblebee malware distribution campaign that exploits Bing SEO poisoning. The attackers target users searching for software like WinMTR and Milestone XProtect by creating fake download sites. These sites, hosted on a Truehost Cloud server in Nairobi, rank highly in Bing search results and deliver trojanized MSI installers from an external domain. When executed via msiexec.exe, the installer drops both legitimate software components and malicious files, including a tampered version.dll and icardagt.exe. The executable loads the malicious DLL, leading to the deployment of the Bumblebee malware. Once active, Bumblebee connects to command-and-control (C2) domains using unique 13-character strings followed by a .life TLD. The campaign appears to be an evolution of a similar 2023 SEO poisoning strategy and is now focused on targeting less mainstream software tools often used in technical development environments.
Phishing_Campaign_Abuses_jsDelivr
LOW
+
—
- Intel Source:
- Fortra
- Intel Name:
- Phishing_Campaign_Abuses_jsDelivr
- Date of Scan:
- 2025-05-26
- Impact:
- LOW
- Summary:
- Researchers at Fortra have identified a phishing campaign targeting Microsoft O365 users. The attack initiate with the phishing email containing .htm file that hides encrypted JavaScript code using AES encryption. Once decrypted, the script connects to a fake open-source package on npm which is hosted on a CDN like jsDelivr. This package then generates customized phishing links that include victim’s email address. These links redirect the victim through multiple websites before landing on a fake office 365 login page to steal their credentials.
ViciousTrap_Edge_Device_Honeypot_Network
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- ViciousTrap_Edge_Device_Honeypot_Network
- Date of Scan:
- 2025-05-26
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have identified ViciousTrap, an actor compromising over 5,500 edge devices globally since March 2025, primarily in Asia, to create a distributed honeypot network. Likely Chinese-speaking, ViciousTrap exploits vulnerabilities like CVE-2023-20118 in devices from over 50 brands, using a script (NetGhost) to redirect traffic from compromised systems to its Malaysian-based interception servers, enabling Man-in-the-Middle data collection on various monitored assets, including some in Taiwan and the US.
PureRAT_Spam_Attacks_in_Russia
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- PureRAT_Spam_Attacks_in_Russia
- Date of Scan:
- 2025-05-25
- Impact:
- LOW
- Summary:
- Securelist researchers discovered an increase in attacks against Russian enterprises utilizing the Pure malware family, specifically PureRAT and PureLogs. This campaign has been active since March 2023, and it experienced a fourfold growth in early 2025 compared to the same period in 2024. The campaign, which is distributed via spam emails containing malicious RAR files or links, deceives users by using accounting-related file names and double extensions such as.pdf.rar.
MUT_9332_Targets_Solidity_Developers
MEDIUM
+
—
- Intel Source:
- Datadog
- Intel Name:
- MUT_9332_Targets_Solidity_Developers
- Date of Scan:
- 2025-05-25
- Impact:
- MEDIUM
- Summary:
- Datadog researchers have uncovered a campaign by the threat actor MUT-9332 targeting Solidity developers on Windows systems. The attackers leveraged deceptive VS code extensions that appeared legitimate but secretly ran malicious code in the backgroud. These malicious extensions, discovered between April and May 2025 before being removed from the Marketplace, initiated multi-stage infection chains involving obfuscated JavaScript, PowerShell scripts and steganography to hide payloads within image files. Their primary goal was to steal sensitive information such as cryptocurrency wallet credentials and system information and deploy a remote access tool called Quasar RAT to give the attackers control over the victim’s system.
Fake_Zoom_Invites_Steal_Credentials
LOW
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Fake_Zoom_Invites_Steal_Credentials
- Date of Scan:
- 2025-05-24
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have identified a phishing campaign targeting corporate users with fake Zoom meeting invitations designed to steal login credentials. The attackers leverage urgent and legitimate looking emails to lure recipients into clicking malicious links. These links leads to deceptive Zoom pages that include pre-recorded videos making it appears as live meeting is in progress but after a fake disconnection message, it asks users to enter their credentials on a fake screen. Once entered, the stolen information is immediately sent to the attackers through Telegram. The primary objective of this campaign is to steal login credentials which could lead to account takeovers.
TA406_Targeting_Government_Entities_in_Ukraine
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA406_Targeting_Government_Entities_in_Ukraine
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from ProofPoint have uncovered a phishing campaigns run by DPRK state-sponsored actor TA406 also known as Opal Sleet and Konni targeting government entities in Ukraine. The campaigns focus on credential harvesting and malware deployment to collect intelligence related to the ongoing Russian invasion. The attackers impersonate members of think tank and send fake Microsoft security alerts to trick people into opening malicious files in HTML, CHM, ZIP or LNK formats. These files execute hidden PowerShell script that gathers host data, establishes persistence via autorun batch files and send the data to servers controlled by the attackers.
PyBitmessage_Backdoor_Malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- PyBitmessage_Backdoor_Malware
- Date of Scan:
- 2025-05-23
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a hidden backdoor that installs alongside a Monero cryptocurrency miner which leverages the PyBitmessage library for C2 communications. The initial malware decrypts and deploys both the coinminer and a filess PowerShell based backdoor that executes directly in memory and downloads additional malicious tools from Github or Russian file hosting services. The attacker’s primary motive is to exploit compromised system for cryptocurrency mining while establishing persistent access through the backdoor for potential further attacks.
W3LL_Phishing_Kit_Hits_Outlook_Users
MEDIUM
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- W3LL_Phishing_Kit_Hits_Outlook_Users
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Hunt.IO have discovered a phishing campaign leveraging the W3LL Phishing Kit to target Microsoft Outlook credentials. This Phishing-as-a-Service (PaaS) tool, initially identified by Group-IB in 2022 and available through the W3LL Store marketplace, enables attackers to conduct adversary-in-the-middle (AiTM) attacks to hijack session cookies and bypass multi-factor authentication. The observed campaign utilized an open directory on IP address to host W3LL phishing kit components, including IonCube obfuscated PHP files in folders named "OV6". The phishing lure involved a fake Adobe Shared File service webpage that, upon attempted login, sent credentials via a POST request, specifically to a /wazzy.php endpoint.
AutoIT_Based_AsyncRAT_Delivery_Chain
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AutoIT_Based_AsyncRAT_Delivery_Chain
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a malware campaign that delivers a RAT through a dual-layer AutoIT script framework. The first executable downloads an AutoIT interpreter and a second obfuscated AutoIT script that decodes and executes commands using a custom Wales() function. Persistence is enabled using a custom shortcut in the Startup folder that runs JavaScript and initiates further execution. The final payload, injected into a jsc.exe process as a DLL called Urshqbgpm.dll, attempts to communicate with a known AsyncRAT C2 server and includes references to PureHVNC functionality.
Koishi_Chatbot_Plugin_Steals_Messages
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Koishi_Chatbot_Plugin_Steals_Messages
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at Socket have discovered a malicious npm package, koishi-plugin-pinhaofa, designed to exfiltrate data from Koishi chatbots. Marketed as a spelling auto-correct helper, the plugin, once installed, silently scans all chatbot messages for any eight-character hexadecimal string. Upon finding such a string, which could represent sensitive data like commit hashes, API tokens, or checksums, the plugin forwards the entire message content to a hardcoded QQ account (UIN: 1821181277) controlled by the threat actor, who uses the npm alias kuminfennel. This exposes any secrets or credentials embedded within or surrounding the trigger string. This activity represents a supply chain attack targeting chatbot frameworks, exploiting the trust developers place in community plugins and the unrestricted access these plugins often have within the bot process.
Confluence_Hit_by_ELPACO_Ransomware
MEDIUM
+
—
- Intel Source:
- The DFIR Report
- Intel Name:
- Confluence_Hit_by_ELPACO_Ransomware
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- The DFIR Report researchers have observed that an unpatched, internet-facing Confluence server was compromised via CVE-2023-22527, leading to the deployment of ELPACO-team ransomware (a Mimic variant) approximately 62 hours later. The threat actor initially used the exploit to deploy a Metasploit payload and establish C2 via IP. Following initial access, the actor performed privilege escalation using RPCSS named pipe impersonation, created a local administrator account ("noname"), and installed AnyDesk for persistent remote access via a self-hosted server. Extensive discovery, including network scanning with SoftPerfect NetScan and attempted Zerologon exploitation, preceded credential harvesting using Mimikatz and Impacket's Secretsdump. Lateral movement was achieved using the compromised domain administrator credentials via Impacket wmiexec and RDP.
Tycoon2FA_Phishing_Using_Malformed_URLs
MEDIUM
+
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Tycoon2FA_Phishing_Using_Malformed_URLs
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- SpiderLabs researchers have identified that Tycoon2FA-linked phishing campaigns are targeting Microsoft 365 users. These campaigns leverage malformed URLs containing backslash characters (https:\\) instead of forward slashes. Despite this unconventional formatting, most web browsers still resolve these links, leading unsuspecting victims to credential harvesting pages. This technique is employed by threat actors to bypass email security filters and evade URL-based detection systems, ultimately aiming to steal Microsoft 365 credentials. The infrastructure observed involves domains hosted on services like Azure and Cloudflare Workers.
SEO_Poisoning_Infostealer_Trends
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- SEO_Poisoning_Infostealer_Trends
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ASEC have identified ongoing trends in Infostealer malware spread throughout April 2025, focusing on the continued use of crack and keygen disguises to entice victims. These threats, typically promoted by SEO poisoning to appear at the top of search results, included well-known Infostealers such as LummaC2, Vidar, and StealC.
PyPI_Backdoor_Targets_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Backdoor_Targets_Developers
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have uncovered a malicious Python package called "dbgpkg" on the PyPI repository disguised as debugging tool. Once installed by developers, it deploy a backdoor that allow attackers to execute malicious code and exfiltrate sensitive data. The malware uses Python function wrappers on the requests and socket modules to run its code in the background that downloads a public key from Pastebin and uses a tool called Global Socket Tool to bypass firewalls and connect to the attacker’s server. This campaign is believed to be linked to Phoenix Hyena/DumpForums which has been targeting Russian interests in support of Ukraine since 2022.
DBatLoader_Targeting_Turkish_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- DBatLoader_Targeting_Turkish_Users
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a phishing campaign targeting Turkish users with malware known as DbatLoader also called ModiLoader. The attackers send phishing emails in the Turkish language, impersonating bank transaction notification which contain a malicious RAR file with BAT script. This initial BAT scripts executes DBatLoader which then leverages a series of obfuscated batch scripts and legitimate Windows tool to hide its activity and bypass security systems to install SnakeKeylogger. This malware steals system information, keyboard input and clipboard data and send stolen data to attackers Telegram’s C2 server.
Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- ANY.RUN researchers have analyzed the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, active since August 2023 and targeting Microsoft 365 and Gmail credentials, has demonstrated continuous evolution in its anti-detection mechanisms. This AiTM phishing kit employs a multi-stage attack, starting with obfuscated JavaScript on a landing page, which performs several checks ("nomatch" decoy, domain comparison) before proceeding. It then uses Cloudflare Turnstile CAPTCHA (or other CAPTCHA services like reCAPTCHA and IconCaptcha in later variants) and C2 server queries to validate the user before delivering the core phishing content. Later stages involve further Base64/XOR obfuscation, encrypted payload delivery, and dynamic URL generation for data exfiltration to a C2 infrastructure often using .ru, .es, .su, .com, and .net TLDs. Notable new evasion techniques observed between December 2024 and May 2025 include debugger timing checks, debug environment detection (Selenium, PhantomJS), keystroke interception, context menu blocking, dynamic multimedia loading from legitimate CDNs for victim-tailored lures, invisible JavaScript obfuscation, custom fake page redirects, custom CAPTCHAs, browser fingerprinting, and AES encryption for payload obfuscation.
China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
MEDIUM
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have uncovered that China-nexus state sponsered groups such as UNC5221, UNC5174 and CL-STA-0048 exploitating an unauthenticated file upload vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer.The threat actor leverging remote code execution to deploy malicious webshells, enabling command execution, install additional payloads like KrustyLoader and the SNOWLIGHT RAT. They are targeting government and essential service organizations in the UK, US and Saudi Arabia, aiming to compromise critical infrastructure, exfiltrate sensitive data, and maintain persistent.
FrigidStealer_Malware
LOW
+
—
- Intel Source:
- Wazuh
- Intel Name:
- FrigidStealer_Malware
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Wazuh researchers have uncovered a new information stealing malware named FrigidStealer targeting macOS users since January 2025 and potentially linked to EvilCorp syndicate. It is being distributed through fake browser updates pages on compromised websites, tricking users into downloading a malicious disk image. Upon execution, the malware asks for the user’s password by leveraging a pop-up through apple scripts to bypass the macOS Gatekeeper and then register itself as an application and ensures it runs every time the system starts. FrigidStealer exfiltrates sensitive data including browser credentials, files, system information, and cryptocurrency wallet details and secretly sends it to a remote server using DNS tunneling. It terminates its own process to evade detection.
PowerShell_Loader_Executes_Remcos_RAT
LOW
+
—
- Intel Source:
- Qualys
- Intel Name:
- PowerShell_Loader_Executes_Remcos_RAT
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Qualys Researchers have identified a new PowerShell based shellcode loader that filelessly loads and executes a variant of Remcos RAT. The attackers deliver this malware inside ZIP that contain malicious LNK files disguised as office document. When user open this file. It triggers an HTA file using mshta.exe which then download and executes obfuscated PowerShell code that runs directly in the system’s memory. It leverages Windows functions to load a Remcos RAT variant known as K-Loader. This variant has extensive capabilities including keylogging, screen capture, clipboard access, UAC bypass, and process hollowing for evasion.
APT36_and_Hacktivists_Targeting_India
HIGH
+
—
- Intel Source:
- CyberProof
- Intel Name:
- APT36_and_Hacktivists_Targeting_India
- Date of Scan:
- 2025-05-19
- Impact:
- HIGH
- Summary:
- Researchers at CyberProof have observed a surge in cyber-attacks targeting Indian systems, coinciding with heightened geopolitical tensions following a terrorist attack in Baisaran Valley on April 22, 2025. The Pakistan-linked APT36 (Transparent Tribe) has been observed targeting Indian government and defense offices with phishing URLs and their known Crimson RAT, a tool capable of extensive information theft and voice recording. Simultaneously, hacktivist groups including 'Cyber Group HOAX1337', 'IOK Hacker', and 'National Cyber Crew' have reportedly targeted Indian educational institutes. Lures used by APT36 include malicious PDF files and macro-embedded XLSM documents, often themed around official Indian government or military communications, such as those impersonating Jammu & Kashmir Police or the Indian Air Force. One identified PowerPoint (PPAM) file, "Report & Update Regarding Pahalgam Terror Attack.ppam," contained a malicious macro consistent with older APT36 droppers, designed to deploy Crimson RAT.
Earth_Ammit_Targets_Drone_Supply_Chain
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Earth_Ammit_Targets_Drone_Supply_Chain
- Date of Scan:
- 2025-05-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro have discovered that the Chinese-speaking threat group Earth Ammit undertook two synchronized multi-wave campaigns VENOM and TIDRONE between 2023 and 2024, with the goal of disrupting drone supply chains and compromising high-value targets in Taiwan and South Korea. The VENOM campaign targeted software service providers with open-source tools for stealth and low cost, but the subsequent TIDRONE campaign targeted the military industry with custom-built malware such as CXCLNT and CLNTEND for cyberespionage.
Ransomware_Hits_Financial_Firms
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Ransomware_Hits_Financial_Firms
- Date of Scan:
- 2025-05-19
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a rise in cyber threats targeting financial institutions in Korea and around the world in April 2025. The research focuses on phishing and malware efforts, providing thorough insights into the top ten malware families and compromised Korean account data circulating on Telegram. A unique occurrence occurred when a threat actor, B_ose, sold over 1,700 stolen credit and debit card details on the Exploit forum, with 80% possibly valid and carrying sensitive information such as CVV numbers and addresses.
Technical_Investigation_of_TransferLoader
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Technical_Investigation_of_TransferLoader
- Date of Scan:
- 2025-05-18
- Impact:
- LOW
- Summary:
- Researchers at Zscaler have analyzed a new malware loader named TransferLoader, active since at least February 2025. This loader, observed deploying Morpheus ransomware at an American law firm, contains multiple embedded components: a downloader, a backdoor, and a specialized loader for the backdoor. All components utilize anti-analysis techniques such as PEB debugging checks, dynamic API resolution via hashing, junk code insertion, and runtime string decryption using unique 8-byte XOR keys. The backdoor module communicates with its C2 server via HTTPS or raw TCP, using custom packet structures and a stream cipher for encryption, and notably employs the InterPlanetary File System (IPFS) as a decentralized fallback mechanism for C2 updates. The shared code similarities and evasion methods across TransferLoader components suggest a common developer.
Analysis_of_APT_C_51_Recent_Attacks
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Analysis_of_APT_C_51_Recent_Attacks
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- The 360 Advanced Threat Research Institute reported, that APT-C-51 (also known as APT35, Charming Kitten), an actor motivated by political and economic interests, conducted an espionage campaign targeting the Middle East. The attack, observed around January 2025, initiated with LNK files (Biography of Mr.leehu hacohn.lnk) that, upon execution, released a decoy PDF and a compressed archive (osf.zip). This archive contained multiple DLLs, including the malicious Wow.dll, which performed environment checks and decrypted a gclib file using AES (key: {}nj45kdada0slfk) to obtain a PowerShell script. This script was then executed by new.dll, leading to the deployment of the PowerLess Trojan (version: 3.3.4).
Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
MEDIUM
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- CERT-AGID researchers have identified a large-scale Adwind RAT distribution campaign targeting Italy, Spain, and Portugal, corroborating earlier findings by Fortinet. The attackers employ spear-phishing emails with PDF attachments (Document.pdf, Invoice.pdf) that contain links to cloud storage services like OneDrive or Dropbox. These links lead to the download of an obfuscated VBS or HTML file, which, once deobfuscated, downloads a decoy PDF from Google Drive and, in parallel, a ~90MB ZIP archive from a URL. Unlike previous Adwind campaigns that directly dropped JAR files, this variant delivers a ZIP package containing both the necessary Java environment and the Adwind JAR file disguised as a PNG image (InvoiceXpress.png). This JAR is executed via a CMD script (InvoiceXpress.cmd). The Adwind configuration, encrypted with AES in ECB mode, points to a C2 subdomain on port 4414, consistent with previous Adwind infrastructure.
Ransomware_Groups_Exploiting_SAP_Vulnerability
LOW
+
—
- Intel Source:
- Reliaquest
- Intel Name:
- Ransomware_Groups_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Reliaquest researchers have uncovered that the Russian ransomware group called BianLian and the operators of the RansomEXX also known as Storm-2460 are exploiting the vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer. This vulnerability allows attackers remote code execution to upload and run malicious files without aunthentication. The attackers leverage this vulnerability to upload malicious JSP webshells to gain initial access and then deploy post-exploitation tools like Brute Ratel and Heaven's Gate for command-and-control, evasion and further compromise.
FortiVoice_Zero_Day_RCE_Exploited
LOW
+
—
- Intel Source:
- Truesec
- Intel Name:
- FortiVoice_Zero_Day_RCE_Exploited
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Researchers at Truesec have discovered that CVE-2025-32756, a zero-day stack-based buffer overflow vulnerability in Fortinet products, has been extensively exploited in the field. The vulnerability affects FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamer, allowing remote, unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests with a modified hash cookie.
PyInstaller_Malware_on_MacOS_Users
LOW
+
—
- Intel Source:
- Jamf Threat Labs
- Intel Name:
- PyInstaller_Malware_on_MacOS_Users
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Jamf Threat Labs uncovered a new infostealer targeting macOS users. It is delivered through PyInstaller, a legitimate tool that converts Python scripts into Mach-O executable. This technique allow attackers to execute malicious Python payloads without requiring a Python installation on the system which is important because Apple no longer includes Python by default. The malware named stl installer and sosorry leverages fake password prompts to trick users into giving up their credentials. It can also run additional malicious AppleScript commands from a remote server, steal saved passwords and other sensitive information from the macOS Keychain and search for cryptocurrency wallets to exfiltrate private keys.
DarkCloud_Stealer
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- DarkCloud_Stealer
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Palo Alto researchers have discovered a new data-stealing malware called DarkCloud Stealer which has been active since 2022. It is distributed primarily through phishing emails that contain malicious RAR file or a PDF designed to trick users into downloading the RAR from a file-sharing site. The archive contains an AutoIt-compiled executable which unpacks and executes the final payload called DarkCloud Stealer. This stealer is capable of harvesting a wide range of sensitive data, including browser and email credentials, FTP details, contact lists, system details and screenshots. It has been targeting multiple industries such as finance, manufacturing, Media and Entertainment and government with a particular focus on U.S. and Brazil.
Devices_Hit_by_Stack_Overflow
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Devices_Hit_by_Stack_Overflow
- Date of Scan:
- 2025-05-16
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have discovered a stack-based buffer overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products that could allow a remote unauthenticated attacker to execute arbitrary code or commands using specially crafted HTTP requests. Notably, this vulnerability has been extensively exploited in the wild, specifically targeting FortiVoice devices.
PyPI_Packages_Targets_Solana_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Packages_Targets_Solana_Developers
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have discovered malicious Python package called solana-token on the PyPI repository. It specifically targets Solana blockchain developers to steal source code and developer secrets. This package masquerading as a legitimate tool for Solana blockchain but secretly sends Python files and their contents to a hardcoded IP address. The solana-token package, downloaded over 600 times and even reused the name of an earlier malicious package before it was removed.
Uncovering_SuperShell_and_CobaltStrike
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Uncovering_SuperShell_and_CobaltStrike
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Hunt.IO researchers have discovered a collection of hacking tools including SuperShell malware and Cobalt Strike beacons that were accessible on the internet. These tools were unintentionally exposed by threat actors while setting up their attack infrastructure. SuperShell is new C2 framework capable of targeting multiple operating systems by using secure SSH connections to control compromised machine. Additionally, the researchers also identified Cobalt Strike beacons using separate infrastructure and deceptive certificates impersonating jQuery to evade detection.
Gunra_Ransomware_Targeting_Windows
MEDIUM
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Gunra_Ransomware_Targeting_Windows
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers at CYFIRMA have discovered a new ransomware strain called Gunra that mainly targets Windows-based systems in a variety of worldwide industries, including real estate, pharmaceuticals, and manufacturing. Gunra, based on Conti ransomware, uses double-extortion techniques by encrypting files with the ".ENCRT" extension and threatening to expose stolen data over a Tor-hosted page. The malware uses complex tactics such as anti-analysis with the IsDebuggerPresent API, evasion of rule-based detections, obfuscation, and shadow copy deletion via WMI.
Pupkin_Stealer
LOW
+
—
- Intel Source:
- Rixed Labs
- Intel Name:
- Pupkin_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- A recent analysis details Pupkin Stealer, a straightforward .NET-based info-stealer first identified in April 2025. It is likely developed by a Russian-speaking freelancer or novice developer known as "Ardent." Pupkin targets Windows systems, running multiple tasks to steal credentials from Chromium browsers, Discord tokens, active Telegram sessions, specific desktop files (.pdf, .txt, .sql, .jpg, .png), and even desktop screenshots. The malware relies on standard .NET libraries and embeds dependencies using Costura.Fody, which results in high file entropy but lacks advanced evasion techniques or persistence mechanisms. The stolen data is compressed into a ZIP archive and exfiltrated via a hardcoded Telegram bot API, though the exfiltration process has flaws, such as incorrect byte-to-string conversion and improper MIME type handling.
Malware_Payload_via_Steganography
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malware_Payload_via_Steganography
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have detailed an instance in April 2025 where malware employed steganography to deliver a secondary payload. An initial .NET executable, identified as belonging to the XWorm family, utilized obfuscated strings and reflective code loading techniques. This initial malware downloaded a PNG image file from a public image hosting service. It then extracted a hidden executable payload embedded within the red pixel channel data of the image's top row. This secondary payload was subsequently loaded reflectively into memory for execution.
Pig_Butchering_Operation
LOW
+
—
- Intel Source:
- Infoblox
- Intel Name:
- Pig_Butchering_Operation
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Infoblox uncovered a cryptocurrency scam named pig butchering operation disguised as a remote job offer that began through a message on Telegram from a fake company called Corner Office Consultants. This fake job involved repetitive online tasks for commissions on a website impersonating the legitimate marketing firm Marble Media. After completing some tasks, they lure victims into depositing cryptocurrency by creating a negative account balance that required topping up to continue working or withdraw supposed earnings. The cybercriminals leverage fake identities using stock photos and later switched to romance scams when the task-based fraud stalled.
Criminals_Targeting_End_of_Life_Routers
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- Criminals_Targeting_End_of_Life_Routers
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- The FBI has issued a cybersecurity advisory about a rise in surge in malicious activity targeting end-of-life (EOL) routers, with a particular focus on outdated Linksys models. Threat actors are exploiting known and unpatchable vulnerabilities commonly found in the built-in remote management software of these unsupported devices. The FBI reports that attackers are deploying malware such as 5Socks and Anyproxy to gain persistent root-level access, effectively converting the compromised routers into botnet infrastructures. These devices are then used to steal sensitive user information like login credentials and financial information to launch DDoS attacks or are sold as proxy nodes to other threat actors.
ContagiousInterview_Campaign_Infrastructure
LOW
+
—
- Intel Source:
- Team Cymru
- Intel Name:
- ContagiousInterview_Campaign_Infrastructure
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Team Cymru researchers have disclosed network infrastructure details associated with DPRK-linked actors conducting "ContagiousInterview" campaigns, observed over several years as of April 2025. The threat actors utilize front companies, such as BlockNovas LLC, with associated domains hosted on Russian infrastructure, specifically IP addresses assigned to TransTelecom and InvestStroyTrest. InvestStroyTrest operates a ferry service between Russia and North Korea from Rajin, KP, a service recently highlighted by a captured North Korean soldier, suggesting a potential link between the cyber infrastructure provider and physical logistics supporting DPRK objectives.
Nitrogen_Dropping_Cobalt_Strike
MEDIUM
+
—
- Intel Source:
- Nextron Systems
- Intel Name:
- Nitrogen_Dropping_Cobalt_Strike
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Nextron Systems researchers have observed activity by the Nitrogen ransomware group, first detected in September 2024 and expanding from North America to Africa and Europe. This group gains initial access primarily through malvertising campaigns, tricking users searching for legitimate software like WinSCP into downloading trojanized installers from compromised WordPress sites. These installers utilize DLL sideloading ("NitrogenLoader") to execute malicious code, ultimately deploying Cobalt Strike beacons. Nitrogen actors use the compromised host as a pivot point, leveraging Cobalt Strike for lateral movement and post-compromise actions while attempting to cover tracks by clearing Windows event logs.
Gremlin_Stealer
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Gremlin_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have discovered a new info-stealing malware called Gremlin Stealer that first emerged in March 2025. It is written in C language and capable of stealing sensitive data from Windows systems such as passwords, browser cookies, form inputs and credit card information from popular browsers such as Chrome and Gecko-based browsers. It also targets cryptocurrency wallets like Exodus, MetaMask, Monero), FTP clients (TotalCommander, FileZilla), VPNs, Steam, Telegram and Discord channels. The malware collects system information, takes screenshots, swaps crypto wallet addresses and sends all stolen data in ZIP file to a command-and-control server or via a Telegram. The operation appears to make money both by selling the malware and through the stolen data.
Pentagon_Stealer
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Pentagon_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ANY.RUN researchers have detailed the emergence and evolution of Pentagon Stealer, an information-stealing malware observed since early March 2024, targeting cryptocurrency assets and user credentials. Initially identified in Golang and Python variants, the malware steals browser data (credentials, cookies), crypto wallet information (Atomic, Exodus), Discord/Telegram tokens, and specific files, communicating stolen data via HTTP POST requests to command and control (C2) servers. Key techniques include launching browsers in debug mode to bypass DPAPI and steal cookies directly, and replacing wallet application files (app.asar) with modified versions to capture mnemonics and passwords. The Python version employs multi-stage, AES-encrypted delivery, while the Golang version appeared later in attack chains involving NSIS installers.
Stealerium_Infostealer
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Stealerium_Infostealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Seqrite Labs researchers have uncovered an ongoing campaign targeting U.S. citizens during tax season by taking advantage of the annual tax filing deadline. Threat actors are sending phishing emails containing malicious LNK file disguised as legitimate tax related documents to deceive users into opening them. Once user clicks on the attachment, the LNK file executes hidden PowerShell commands that download and install a data-stealing malware called Stealerium . This malware is designed to steal sensitive information like browser passwords, crypto wallets, chat logs, VPN and Wi-Fi credentials, and other system details.
Chihuahua_Stealer
LOW
+
—
- Intel Source:
- G-Data
- Intel Name:
- Chihuahua_Stealer
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- GDATA Security researchers have identified a new .NET based malware called Chihuahua Stealer which is capable of stealing sensitive information from compromised systems. It has first emerged in April 2025, spreading through a malicious PowerShell script hidden in a Google Drive document. Once executed, it mainly steals information from web browsers, cryptocurrency wallets and specific user files on the system. The malware leverage scheduled tasks for persistence and downloads additional payloads from backup servers. It compress the stolen data into a zip file with .chihuahua extension using AES-GCM encryption through Windows APIs. The encrypted data is then exfiltrated over HTTPS and malware attempt to delete its traces.
APT36_Spoofs_Indias_Defence_Portal
HIGH
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- APT36_Spoofs_Indias_Defence_Portal
- Date of Scan:
- 2025-05-15
- Impact:
- HIGH
- Summary:
- Hunt.io researchers have identified an attack campaign employing APT36-style ClickFix techniques, observed in March 2025, spoofing India's Ministry of Defence to deliver cross-platform malware. The operation involved cloning the Ministry's press release portal, using attacker-controlled domains mimicking official subdomains, and directing visitors based on their operating system (Windows or Linux) to specific pages designed to facilitate malware execution via clipboard hijacking. Windows users were served an HTA payload via mshta.exe after a spoofed "For Official Use Only" warning, while Linux users were prompted to execute a shell script downloaded from a likely compromised .in domain following a fake CAPTCHA lure.
Unveiling_LUMMAC_V2
MEDIUM
+
—
- Intel Source:
- Google Security Operations
- Intel Name:
- Unveiling_LUMMAC_V2
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Google Security Operations have detailed the LUMMAC.V2 (aka Lumma, Lummastealer) infostealer, a C++ rework of the original LUMMAC credential stealer featuring a binary morpher. This malware, often distributed via malicious search results leading to fake CAPTCHA pages ("ClickFix" technique), tricks users into executing PowerShell commands via the Run dialog. The initial PowerShell loader fetches subsequent stages, which Mandiant has observed employing varied execution methods including DLL search order hijacking, process hollowing (targeting BitlockerToGo.exe), and obfuscated AutoIt-based droppers performing anti-analysis checks. LUMMAC.V2 establishes persistence via registry Run keys and targets a wide array of sensitive data including browser credentials, cryptocurrency wallets, password managers, email clients, system details, and screenshots, exfiltrating the stolen information as a ZIP archive over HTTP to Cloudflare-fronted command-and-control servers.
SPID_Phishing_Campaign
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- SPID_Phishing_Campaign
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- CERT-AGID has identified a phishing campaign targeting SPID users by exploiting the AgID name and logo through a recently registered fake domain. The phishing emails with the subject line “Imminent SPID suspension: mandatory action” urge recipients to click an Update Documentation button that redirect them to a malicious site designed to steal SPID credentials, copies of identity documents and recognition videos.
Python_InfoStealer_with_Phishing_Server
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_InfoStealer_with_Phishing_Server
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a Python-based InfoStealer that not only has basic capabilities such as anti-debugging, persistence via registry and scheduled tasks, keylogging, clipboard capture, and periodic snapshots, but also embeds a phishing web server using Flask. The malware sends data encrypted with the Fernet module to a Telegram channel and operates its modules in separate threads to maximize efficiency.
Iranian_Espionage_via_Fake_Model_Site
LOW
+
—
- Intel Source:
- unit42
- Intel Name:
- Iranian_Espionage_via_Fake_Model_Site
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Unit 42 researchers have found an emerging Iranian cyberespionage operation that used a fake website to pose as a German model agency. The website, which imitates the branding of the firm, uses obfuscated JavaScript to gather comprehensive visitor data, including IP addresses, browser fingerprints, and screen resolutions, most likely in order to facilitate aimed targeting. A bogus profile that has an invalid hyperlink to a private album points to potential spear phishing or other social engineering attack preparations.
Swan_Vector_APT_Targets_East_Asia
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Swan_Vector_APT_Targets_East_Asia
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- Researchers from Seqrite Labs have discovered an innovative cyber-espionage campaign known as Swan Vector that targeted businesses in Taiwan and Japan, notably those in the education and mechanical engineering fields. The attackers use false resumes as decoys to deploy a four-stage malware chain that starts with a malicious LNK file and ends with the execution of Cobalt Strike shellcode. To avoid detection, the campaign use a variety of stealth techniques such as DLL sideloading, API hashing, and direct syscalls, while also exploiting legitimate tools such as RunDLL32.exe.
Mamona_Ransomware
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Mamona_Ransomware
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers from ANY.RUN have uncovered a new ransomware strain called Mamona that first appeared in May 2025 and is believed to be linked to BlackLock affiliates. This ransomware operates offline which means it encrypts files on the victim's system without connecting to a remote server. It encrypts the file with .HAes extension and drops ransom notes (README.HAes.txt) claiming data been stolen. However, no data exfiltration or C2 communication has been observed. The group employs on simple obfuscation technique like delay loops and deletes itself after running to avoid detection. It relies on custom encryption methods instead of standard libraries but decryption tool exists that can recover files. This easy-to-use ransomware lowers the entry barrier for less skilled threat actor to contribute to wider ransomware activities.
Fake_SSA_Emails_Install_Remote_Access_Tool
MEDIUM
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Fake_SSA_Emails_Install_Remote_Access_Tool
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Malware Bytes researchers have identified a phishing campaign leveraging fake US Social Security Administration (SSA) emails to trick users into installing the legitimate remote access tool such as ScreenConnect. These deceptive emails sent by a group known as Molatori, claim that a Social Security statement is ready for to download but exclusively on Windows PCs. When victims click the link, they unknowingly install ScreenConnect which give attackers full remote access to their systems. This access allows them to execute commands, transfer files, install further malware and exfiltrate sensitive data like banking details and personal identification numbers.
Atomic_Stealer_Distributed_as_a_Crack_Program
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Atomic_Stealer_Distributed_as_a_Crack_Program
- Date of Scan:
- 2025-05-15
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the malware campaign in which a macOS information-stealer dubbed Atomic Stealer is being distributed as cracked software such as Evernote. When users visit these malicious sites, their device type is checked where macOS users redirect to the AMOS download page while Windows users are directed to LummaC2 malware. The Amos stealer employs AppleScript and system commands to steal browser data, keychain passwords, cryptocurrency wallet and other sensitive files. Additionally, the malware checks for virtual machine environments before compressing collected data and secretly sends it to the attacker's server via HTTP POST requests.
TheWizards_APT_Group_Activity
MEDIUM
+
—
- Intel Source:
- ESET Research
- Intel Name:
- TheWizards_APT_Group_Activity
- Date of Scan:
- 2025-05-15
- Impact:
- MEDIUM
- Summary:
- Researchers at ESET have observed the activity of TheWizards, a China-aligned APT group active since at least 2022, targeting entities in the Philippines, Cambodia, UAE, mainland China, and Hong Kong. The group employs a sophisticated adversary-in-the-middle (AitM) tool named Spellbinder, which exploits IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing within compromised networks. This technique allows TheWizards to intercept local network traffic, specifically DNS requests for popular Chinese software update domains (e.g., Tencent QQ, Sogou Pinyin), and redirect victims to attacker-controlled servers delivering malicious updates. These updates deploy a downloader, often disguised as a legitimate DLL side-loaded by abused executables, which in turn fetches and executes the modular .NET backdoor, WizardNet.
Scattered_Spider_Hits_UK_Retail
HIGH
+
—
- Intel Source:
- Cyberint
- Intel Name:
- Scattered_Spider_Hits_UK_Retail
- Date of Scan:
- 2025-05-15
- Impact:
- HIGH
- Summary:
- Researchers at Cyberint have discovered that the financially motivated threat group Scattered Spider, also known as Roasting 0ktapus or Scatter Swine, is most likely responsible for recent cyberattacks against UK retail organizations, with the DragonForce ransomware cartel being blamed for the extortion stage. Scattered Spider has been active since 2022, transitioning from targeting telecom and BPO sectors to attacking high--leverage businesses such as retail, particularly during peak seasons. The organization deploys advanced identity-centric approaches, such as social engineering, SMS and Telegram phishing, SIM swapping, and MFA fatigue attacks. They use vulnerabilities such as CVE-2015-2291 and CVE-2021-35464, as well as programs like STONESTOP, POORTRY, and various remote access applications, to disable protections, gain persistence, and exfiltrate data.
Operation_ToyBox_Story
HIGH
+
—
- Intel Source:
- Genians Security Center
- Intel Name:
- Operation_ToyBox_Story
- Date of Scan:
- 2025-05-14
- Impact:
- HIGH
- Summary:
- Genians Security Center (GSC) detailed "Operation: ToyBox Story," a March 2025 spear-phishing campaign by the North Korean state-sponsored group APT37 targeting activists focused on North Korea. Using lures disguised as South Korean national security think tank invitations or information on North Korean troops in Russia, the campaign delivered malicious LNK files via Dropbox links within emails. Execution of the LNK file triggers a multi-stage infection chain involving hidden PowerShell commands, shellcode injection, and the deployment of the RokRAT backdoor, which harvests system information and screenshots for exfiltration. APT37 leverages legitimate cloud platforms like Dropbox, pCloud, and Yandex as command-and-control (C2) infrastructure, demonstrating a "Living off Trusted Sites" approach to evade detection. This continued reliance on cloud services and fileless techniques for payload delivery underscores APT37's persistent espionage objectives and presents a significant challenge for signature-based defenses, necessitating robust endpoint detection and response (EDR) capabilities and anomaly hunting to identify and mitigate the threat.
Malicious_PyPI_Package_Targets_Discord_Developers
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Malicious_PyPI_Package_Targets_Discord_Developers
- Date of Scan:
- 2025-05-14
- Impact:
- LOW
- Summary:
- Socket Research Team has discovered a malicious Python package called discordpydebug targeting Discord developers. This package masqueraded as non-malicious tool for logging application errors but actually contained a hidden Remote Access Trojan (RAT). Once installed, it connects to a server controlled by attackers, enabling them the to run commands, read and write files and exfiltrate sensitive data such as tokens and credentials from compromised developer systems .The package was downloaded over 11,000 times before it was taken down.
Horabot_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Horabot_Malware_Campaign
- Date of Scan:
- 2025-05-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have uncovered a malware campaign named Horabot targeting Spanish-speaking users across Latin America. The threat actor leveraging phishing emails masquerading as legitimate invoices, embedding malicious HTML attachments that initiate a multi stage infection chain using VBScript, AutoIt and PowerShell. The malware performs environmental checks to evade antivirus and virtual machines before establishing persistence. Once established, it collects system information, extracts Outlook contacts and steals browser credentials. It also leverages Outlook COM automation to spread laterally by sending phishing emails from compromised accounts, enabling data exfiltration and the deployment of additional banking trojans.
Marbled_Dust
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Marbled_Dust
- Date of Scan:
- 2025-05-13
- Impact:
- HIGH
- Summary:
- Microsoft Threat Intelligence reports that since April 2024, the Türkiye-affiliated espionage actor Marbled Dust has exploited a zero-day directory traversal vulnerability (CVE-2025-27920) in the Output Messenger chat application. The actor targets entities associated with the Kurdish military operating in Iraq, consistent with Marbled Dust's previously observed regional targeting priorities aimed at furthering Turkish government interests. After gaining authenticated access to the Output Messenger Server Manager, potentially via intercepted credentials from DNS hijacking or typo-squatting, Marbled Dust exploits the vulnerability to deploy VBScripts and a GoLang backdoor, enabling command-and-control communication and data exfiltration. This campaign signifies an increase in Marbled Dust's technical sophistication through the use of a zero-day exploit, posing a substantial espionage risk, as compromise grants attackers broad access to sensitive communications and user data within the targeted organization.
Cursor_IDE_Hijacked_via_Malicious_NPM
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Cursor_IDE_Hijacked_via_Malicious_NPM
- Date of Scan:
- 2025-05-13
- Impact:
- LOW
- Summary:
- Socket researchers have identified the discovery of three malicious npm packages (sw-cur, sw-cur1, aiide-cur) targeting macOS developers using the popular Cursor AI code editor. Published by threat actors using aliases gtr2018 and aiide, these packages masqueraded as tools offering a cheap Cursor API, luring developers seeking cost savings. Upon execution, the malware steals Cursor credentials, fetches an AES-encrypted secondary payload from actor-controlled infrastructure, decrypts it, and overwrites the editor's core main.js file, establishing persistent backdoor access within the trusted IDE environment; one variant also disabled auto-updates.
WaterPlum_Using_OtterCookie_Malware_New_Features
MEDIUM
+
—
- Intel Source:
- NTT Security
- Intel Name:
- WaterPlum_Using_OtterCookie_Malware_New_Features
- Date of Scan:
- 2025-05-13
- Impact:
- MEDIUM
- Summary:
- NTT Security researchers have observed the continued evolution of OtterCookie malware, utilized by the North Korea-linked threat actor WaterPlum (also known as Famous Chollima or PurpleBravo). OtterCookie, first identified in September 2024, targets financial institutions, cryptocurrency operators, and FinTech companies worldwide. The latest versions, v3 (observed February 2025) and v4 (observed April 2025), introduce enhanced stealer capabilities. Version 3 added an upload module for exfiltrating documents, images, and cryptocurrency-related files from non-Windows environments. Version 4 further expands functionality with two new stealer modules: one decrypts and steals Google Chrome credentials using DPAPI, while another exfiltrates MetaMask, Chrome, Brave browser credentials, and macOS credentials without decryption.
PupkinStealer
LOW
+
—
- Intel Name:
- PupkinStealer
- Date of Scan:
- 2025-05-13
- Impact:
- LOW
- Summary:
- Cyfirma researchers have discovered a new infostealer malware called PupkinStealer that first emerged in April 2025 and linked to be Russian origin named Ardent. This malware is written in .NET and designed to steal sensitive information from Window systems. This infostealer targets saved passwords from browsers like Chrome, Edge and Opera, desktop files, steals session data from Telegram and Discord, and takes screenshots. Once the data is collected then stored in a temporary folder, zipped into a file named with the victim’s username and sent to the attacker using the Telegram Bot API.
Lumma_Infostealer_GitHub_Campaign
LOW
+
—
- Intel Source:
- Picus Security
- Intel Name:
- Lumma_Infostealer_GitHub_Campaign
- Date of Scan:
- 2025-05-12
- Impact:
- LOW
- Summary:
- Lumma Stealer, an information-stealing malware offered as a Malware-as-a-Service (MaaS) since August 2022, has seen a significant surge in use throughout 2024-2025, with Picus Security reported a 369% increase in infections in late 2024. Financially motivated cybercriminals, including affiliates like the "Stargazer Goblin" group, leverage Lumma Stealer to harvest credentials, banking information, and cryptocurrency wallets. Operators primarily abuse trusted platforms like GitHub for initial access, using spearphishing links in fake issue comments or bogus security team notifications to distribute trojanized installers, often disguised as fixes or legitimate tools. Other tactics include malvertising campaigns leading to fake CAPTCHA pages that trick users into executing malicious PowerShell commands. Lumma employs numerous defense evasion techniques such as "Living off the Land" (using legitimate tools like mshta.exe, PowerShell, WMI), payload encryption, sandbox detection, and process hollowing. Stolen data is typically exfiltrated via HTTP/HTTPS to attacker C2 servers.
BPFDoor_Linux_Malware_Activity
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- BPFDoor_Linux_Malware_Activity
- Date of Scan:
- 2025-05-12
- Impact:
- MEDIUM
- Summary:
- Researchers at AhnLab have observed the continuous exploitation of the Linux-based backdoor malware BPFDoor in recent hacking attacks, as detailed in a new alert and a related hash notification from KISA. Initially described in an October 2024 ASEC blog article, BPFDoor remains a continuous threat due to its open-source nature, which allows for the ongoing distribution of multiple modified strains.
Chinese_Group_Exploiting_SAP_Vulnerability
MEDIUM
+
—
- Intel Source:
- Forescout
- Intel Name:
- Chinese_Group_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Forescout have observed that CVE-2025-31324, a critical deserialization vulnerability in SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild by a Chinese threat actor tracked as Chaya_004. Exploitation, observed since at least April 29, involves POST requests to the /developmentserver/metadatauploader endpoint to upload web shells, facilitating remote code execution and potential full system takeover. The threat actor's infrastructure includes servers, many hosted on Chinese cloud providers, hosting Supershell backdoors and various Chinese-origin penetration testing tools.
Intrusion_of_Interlock_Ransomware
MEDIUM
+
—
- Intel Source:
- GuidePoint
- Intel Name:
- Intrusion_of_Interlock_Ransomware
- Date of Scan:
- 2025-05-11
- Impact:
- MEDIUM
- Summary:
- Researchers at GuidePoint have uncovered a cyber-attack by interlock ransomware in which attackers trick users into downloading SocGholish malware through fake human verification pop-ups compromised legitimate website. Once initial access is gained, Interlock operators install NetSupportRAT to maintain persistent in the system, perform network scanning, and escalate their privileges using techniques such as hijacking Microsoft 365 sessions and stealing credentials from LastPass. Afterward, the attackers use a renamed version of the AZCopy tool to transfer sensitive data to attackers-controlled cloud storage. Finally, they deploy the Interlock ransomware leveraging tools like PSExec or even Group Policies Object to spread across systems, locking users out and encrypting data.
