Executive_Award_Campaign
MEDIUM
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Executive_Award_Campaign
- Date of Scan:
- 2025-12-06
- Impact:
- MEDIUM
- Summary:
- Researchers at SpiderLabs have uncovered a phishing campaign that uses an “Executive Award” theme to lure victims into credential theft and malware installation. The operation begins with emails claiming to relate to a corporate recognition or gift-card program, directing users to a convincing phishing site that mimics an internal award or webmail portal. When victims submit their credentials, the data is immediately exfiltrated to attacker-controlled infrastructure, including a Telegram channel. The site then displays a fake browser error and prompts users to download a supposed “fix” file, leveraging the ClickFix technique to execute concealed PowerShell code via Windows messaging features. This PowerShell stage ultimately downloads and installs the Stealerium information stealer, which operates silently to harvest additional data and establish persistence for long-term access.
Intellexa_Predator_Spyware_Network
HIGH
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Intellexa_Predator_Spyware_Network
- Date of Scan:
- 2025-12-06
- Impact:
- HIGH
- Summary:
- Researchers at Insikt Group have identified an extensive network of companies and individuals connected to Intellexa and its flagship Predator spyware, revealing a persistent global ecosystem supporting surveillance-for-hire operations. The investigation exposes a complex web of front companies, intermediaries, and infrastructure spanning Europe, the Middle East, and Africa, with active entities registered in Greece, North Macedonia, the Czech Republic, and the United Arab Emirates. Predator is a modular spyware framework capable of full device compromise through both one-click and zero-click exploits, granting operators access to sensitive device data including messages, calls, and camera feeds. Insikt Group’s analysis shows that despite sanctions, exposure, and legal scrutiny, Intellexa-linked companies continue to operate under new identities and regional affiliates to obscure attribution and sustain commercial activity.
A_Misuse_of_Velociraptor
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- A_Misuse_of_Velociraptor
- Date of Scan:
- 2025-12-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Huntress uncovered an espionage campaign in which a threat actor abused the Velociraptor DFIR platform and other legitimate administrative tools to establish covert C2 across multiple victim environments. The actor initially breached networks by exploiting vulnerable Windows web services, then installed Velociraptor as a persistent service with elevated privileges. After gaining a foothold, they relied on cloud tunneling services, remote desktop utilities, and encoded PowerShell to move laterally, enumerate Active Directory, and execute arbitrary commands while closely mimicking normal administrative activity. In one instance, the intrusion culminated in the deployment of Warlock ransomware, with Velociraptor enabling continued access during and following the encryption event. Confirmed victims include an agriculture organization, a managed service provider’s internal network, and another enterprise.
V3G4_Botnet_Evolves
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- V3G4_Botnet_Evolves
- Date of Scan:
- 2025-12-05
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have identified a new V3G4 campaign, a Mirai-based botnet that has evolved beyond its usual DDoS attacks to secretly run cryptomining on compromised Linux devices. The operation uses a multi-stage infection chain, beginning with a downloader script designed to work across many CPU architectures, making it effective against a wide range of servers and embedded systems. Once inside, it deploys a custom bot that gathers system details, manipulates with system services, and establishes resilient communication with its C2 servers. The malware also performs TCP scanning and uses DNS-based C2 resolution, enabling it to discover additional targets and remain connected even if the attackers update their infrastructure. In later stages, the operators deploy a fileless cryptominer whose configuration is delivered at runtime, leaving minimal traces on disk and complicating forensic analysis.
DigitStealer_MacOS_Infostealer
HIGH
+
—
- Intel Source:
- Polyswarm
- Intel Name:
- DigitStealer_MacOS_Infostealer
- Date of Scan:
- 2025-12-04
- Impact:
- HIGH
- Summary:
- Researchers at PolySwarm have uncovered a new macOS malware family named DigitStealer, a multi-stage information stealer that leverages JavaScript for Automation (JXA) and AppleScript to evade detection and exfiltrate sensitive data. The campaign distributes unsigned disk images masquerading as legitimate macOS utilities, using bash and curl commands to execute the payload entirely in memory. Once executed, the malware carries out comprehensive hardware, regional, and anti-virtualization checks to ensure it runs exclusively on physical Apple Silicon systems, with a particular focus on M2 and newer chips. DigitStealer advances through four structured stages, including an AppleScript-driven credential harvester, an obfuscated JXA module for broader data theft, a tampered Ledger Live component designed for cryptocurrency exfiltration, and a persistent backdoor established via a LaunchAgent.
Phishing_Campaign_Masquerades_Italy_Presidency_Website
MEDIUM
+
—
- Intel Source:
- Cert-AGID
- Intel Name:
- Phishing_Campaign_Masquerades_Italy_Presidency_Website
- Date of Scan:
- 2025-12-04
- Impact:
- MEDIUM
- Summary:
- CERT-AGID researchers have identified a phishing campaign that impersonates the Italian Government and the Presidency of the Council of Ministers to harvest online banking credentials. The operation begins with emails titled “Verification of Banking Data – Italian Government,” urging recipients to click a link presented as part of a routine administrative check. The embedded link directs victims to a webpage that replicates the official branding and visual identity of the Presidency, creating a strong sense of legitimacy. From there, users are presented with a bank selection drop-down listing numerous national and international credit institutions, after which they are redirected to a counterfeit portal for the chosen bank. These fraudulent portals closely mimic legitimate online banking login pages to capture customer IDs, PINs, and passwords. The campaign relies on brand impersonation and high-quality visual replicas rather than malware, reducing technical complexity while still posing a significant fraud risk.
matanbuchus_3_0_modular_downloader_with_ransomware_aligned_capabilities
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- matanbuchus_3_0_modular_downloader_with_ransomware_aligned_capabilities
- Date of Scan:
- 2025-12-04
- Impact:
- LOW
- Summary:
- Researchers at Zscaler ThreatLabz have identified a new and more advanced variant of the Matanbuchus Malware-as-a-Service platform, marking a substantial evolution in its deployment and post-exploitation capabilities. Matanbuchus 3.0 introduces enhanced obfuscation, Protobuf-based C2 communication, and long-running anti-analysis delays, making it significantly harder to detect. Recent intrusions show threat actors using Quick Assist–enabled access to deploy trojanized MSI installers that sideload the downloader module, which then retrieves the main payload from attacker infrastructure. The updated variant expands its ability to execute EXEs, DLLs, MSI packages, and shellcode through multiple injection pathways while establishing persistence via scheduled tasks. These advancements strengthen its utility for ransomware-aligned operators and increase its impact across Windows environments
Operation_DupeHike
MEDIUM
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_DupeHike
- Date of Scan:
- 2025-12-03
- Impact:
- MEDIUM
- Summary:
- Researchers at Seqrite have uncovered an espionage campaign called Operation DupeHike, in which the threat group UNG0902 targets employees in Russian organizations, especially those working in HR, payroll, and internal administration. The attackers send a ZIP file containing a malicious shortcut file disguised as an internal bonus-policy document. When executed, it triggers a PowerShell downloader that retrieves a C++ implant named DUPERUNNER while showing the victim a legitimate-looking PDF to avoid suspicion. DUPERUNNER gathers system details, chooses a suitable process for injection, and then loads a stager that deploys an AdaptixC2 beacon directly in memory. This beacon uses encrypted HTTP communications, dynamic API resolution, custom hashing, and reflective loading to evade detection, while also collecting and exfiltrating local data to attacker infrastructure. The operation relies on user interaction and living-off-the-land techniques, making it more effective at bypassing basic security controls. The campaign has been active since at least November 2025 and conducting information theft rather than causing immediate disruption.
ShadyPanda_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Koi Security
- Intel Name:
- ShadyPanda_Malware_Campaign
- Date of Scan:
- 2025-12-03
- Impact:
- MEDIUM
- Summary:
- Koi Security has uncovered a long-running campaign by the threat actor ShadyPanda, which has been abusing Chrome and Edge extensions for years to conduct large-scale surveillance. The group compromises legitimate, highly rated extensions by delivering delayed malicious updates, causing users to unknowingly install the malware through normal auto-updates. Over time, their tools have evolved simple ad-fraud extensions to sophisticated spyware and browser-based backdoors capable of executing attacker-controlled code directly inside the browser. The latest payload runs hourly, provides full programmatic access to browser APIs, and can dynamically shift between ad fraud, credential theft, and corporate espionage. It gathers browsing history, search queries, interaction telemetry, and device fingerprints, and can intercept sessions and credentials using malicious service workers. Because the attack operates entirely within the browser, it effectively bypasses traditional endpoint and email security controls.
Salty2FA_and_Tycoon2FA
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Salty2FA_and_Tycoon2FA
- Date of Scan:
- 2025-12-03
- Impact:
- MEDIUM
- Summary:
- Researchers at ANY.RUN have identified a new hybrid phishing campaign that combines two well-known phishing-as-a-service kits: Salty2FA and Tycoon2FA. Although Salty2FA activity had recently declined, attackers are now integrating components from both toolkits within the same operation. The campaign uses Salty-style login and MFA pages on the front end, while captured data is routed to a Tycoon2FA-like backend. This hybrid design aims to steal enterprise login credentials and MFA codes, enabling attackers to compromise accounts and move deeper into networks. To maintain resilience, the phishing infrastructure relies on low-cost hosting, CDNs, and rapidly rotating domains that remain active even as defenders attempt to block them. For victims, the pages appear highly convincing, while obfuscated JavaScript performs anti-analysis checks, dynamically loads additional stages, and falls back to alternate servers if needed.
APT_C_35_Targets_Pakistani_Agencies
HIGH
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APT_C_35_Targets_Pakistani_Agencies
- Date of Scan:
- 2025-12-02
- Impact:
- HIGH
- Summary:
- Researchers at 360 Threat Intelligence Center have observed that the South Asian APT group APT-C-35 (Brain Worm, also known as Donot) has launched a new campaign targeting government entities in Pakistan using a remote access Trojan (RAT) called ShadowAgent. The campaign begins with phishing emails containing ZIP attachments with decoy PDFs and executables disguised as PDF icons to deceive recipients into execution. Once executed, ShadowAgent decrypts its configuration from an internal resource segment, establishes persistence via a scheduled task, and collects host identifiers, usernames, and security product information before exfiltrating data to a remote server over HTTP/WebSocket. The C2 infrastructure allows remote command execution through JSON over WebSocket, supporting shell interaction, file transfer, and directory traversal. A related downloader, linked through previously used digital certificates, employs AES and Base64 encryption, stages persistence via system processes, and communicates with the same C2 framework. The campaign’s tactics, encryption methods, and reuse of code, certificates, and infrastructure clearly tie it to APT-C-35. Its focus on government institutions, use of themed decoys, and targeting defense and administrative data.
Arkanix_Stealer
MEDIUM
+
—
- Intel Source:
- G-Data
- Intel Name:
- Arkanix_Stealer
- Date of Scan:
- 2025-12-02
- Impact:
- MEDIUM
- Summary:
- Researchers at G DATA have uncovered Arkanix, a new information-stealing malware being sold online for quick profit. The operators openly promote it on social platforms and distribute it as seemingly legitimate tools within gaming and social communities. The malware comes in two versions—one written in Python and another in C++. The Python version downloads its active payload from a remote server and can even spread itself by sending messages through chat platforms. Both versions steal a wide range of data, including browser passwords and sessions, cryptocurrency wallet information, VPN and Steam accounts, Wi-Fi details, Telegram data, screenshots, and general system information. The C++ build is more advanced and injects into Chromium-based browsers to bypass newer cookie protection features and extract encrypted data. Everything stolen is sent back to servers controlled by the attackers so the data can be quickly sold or used for account takeovers.
APT36_Launches_New_Linux_Espionage
HIGH
+
—
- Intel Source:
- CYFIRMA
- Intel Name:
- APT36_Launches_New_Linux_Espionage
- Date of Scan:
- 2025-12-01
- Impact:
- HIGH
- Summary:
- Researchers at CYFIRMA have identified a new APT36 (Transparent Tribe) cyber-espionage campaign targeting Indian government entities using Python-based ELF malware designed for Linux systems. The actor, associated with Pakistan, demonstrates growing technical maturity and dual-platform capability through tailored payloads for both Windows and Linux, including distributions commonly used in Indian government environments. The attack begins with spear-phishing emails delivering weaponized .desktop shortcut files disguised as legitimate documents, once executed, these files decode a hidden Base64 payload, display a benign decoy PDF, and download additional malicious components from attacker-controlled infrastructure. The retrieved payloads establish persistence via systemd user services and deploy a Python-compiled RAT capable of file exfiltration, remote shell execution, screenshot capture, and arbitrary Python code execution. Static analysis shows the RAT was built with PyInstaller and incorporates cross-platform C2 communications over HTTP POST, zip-based data exfiltration, hidden working directories, and self-destruct routines to erase forensic evidence.
Malicious_VS_Code_Extension_Used_in_Supply_Chain_Attack
HIGH
+
—
- Intel Source:
- Nextron Systems
- Intel Name:
- Malicious_VS_Code_Extension_Used_in_Supply_Chain_Attack
- Date of Scan:
- 2025-12-01
- Impact:
- HIGH
- Summary:
- Researchers at Nextron Systems have analyzed a malicious Visual Studio Code extension impersonating 'Material Icon Theme' (version 5.29.1) contained two Rust-based implants targeting both Windows and macOS, activated immediately upon extension launch through a loader script crafted to resemble legitimate files. The implants employed an unconventional command-and-control technique by pulling encrypted instructions from a Solana blockchain wallet, a method previously observed in the GlassWorm campaign, before decoding the commands and retrieving a second-stage payload from a remote command server, with a Google Calendar event serving as a fallback delivery mechanism. These follow-on payloads consisted of AES-256-CBC–encrypted JavaScript blobs.
ShadowV2_Targeting_IoT_Devices
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- ShadowV2_Targeting_IoT_Devices
- Date of Scan:
- 2025-11-30
- Impact:
- MEDIUM
- Summary:
- FortiGuard researchers have identified ShadowV2, a new Mirai-based botnet targeting publicly exposed IoT devices. The operators exploit several known vulnerabilities in DD-WRT, D-Link, and TP-Link firmware to gain remote code execution and deploy an initial downloader that subsequently retrieves the main ShadowV2 binary. Once executed, the malware initializes XOR-obfuscated configuration data containing file paths, HTTP headers, and user-agent strings designed to mimic legitimate web traffic. ShadowV2 supports UDP, TCP, and HTTP-based flooding techniques, with attack routines dynamically triggered using numeric method IDs issued by the C2 server. Ongoing activity shows widespread scanning and exploitation across the Americas, Europe, Africa, and Oceania, reflecting an effort to build a large, globally distributed botnet. Compromised devices can be used for high-volume DDoS attacks and may also function as proxies or entry points for lateral movement into internal networks.
FlexibleFerret_macOS_Job_Scam_Malware
HIGH
+
—
- Intel Source:
- Jamf
- Intel Name:
- FlexibleFerret_macOS_Job_Scam_Malware
- Date of Scan:
- 2025-11-30
- Impact:
- HIGH
- Summary:
- Researchers at Jamf Threat Labs have identified a renewed campaign involving the FlexibleFerret malware family, a macOS-targeting threat attributed to DPRK-aligned operators. The operation leverages fake job recruitment websites and LinkedIn posts to trick victims into running attacker-supplied Terminal commands during supposed hiring assessments. Once executed, these commands initiate a multi-stage infection chain that installs a malicious shell script and a Golang-based backdoor. The malware establishes persistence through LaunchAgents, deploys a decoy application mimicking Chrome to harvest credentials, and abuses legitimate APIs for exfiltration. The campaign demonstrates refined social engineering capabilities designed to bypass macOS Gatekeeper protections and blend into normal user behavior.
Shai_Hulud_2_0
MEDIUM
+
—
- Intel Source:
- Netskope
- Intel Name:
- Shai_Hulud_2_0
- Date of Scan:
- 2025-11-29
- Impact:
- MEDIUM
- Summary:
- Netspoke researchers have uncovered Shai-Hulud 2.0, an aggressive and automated npm supply-chain campaign that compromises developers’ GitHub accounts and tokens to mass-publish malicious packages. Once installed, the malware deploys multi-stage payloads that collect environment details, cloud secrets, and authentication material from developer workstations and CI pipelines. It then uses this access to backdoor GitHub workflows and npm projects, enabling lateral movement across organisations. Active since mid-September 2025, Shai-Hulud 2.0 has already infected hundreds of npm packages, with attackers continually pushing new trojanized versions even after maintainers attempt remediation. By stealing cloud secrets and local configuration data, the malware creates opportunities for further cloud account breaches and long-term persistence within GitHub organisations.
Black_Friday_Brand_Impersonation_Lures
MEDIUM
+
—
- Intel Source:
- Darktrace
- Intel Name:
- Black_Friday_Brand_Impersonation_Lures
- Date of Scan:
- 2025-11-29
- Impact:
- MEDIUM
- Summary:
- Darktrace researchers have observed a significant rise in sophisticated phishing campaigns during the Black Friday period, with attackers aggressively using brand impersonation and urgent promotional themes. These campaigns revolve around highly convincing emails that imitate major consumer and luxury brands to steal credentials or redirect victims to fraudulent sites. Threat actors leverage well-crafted subject lines about exclusive deals and limited-time offers to entice user. They also take advantage of newly registered domains and third-party hosting services to evade traditional email security and reputation-based filtering. The emails are carefully designed to mirror legitimate marketing communications, replicating real brand layouts, colour palettes, and call-to-action elements.
TAG_150_Modular_Loader_RAT_Campaign
HIGH
+
—
- Intel Source:
- Darktrace
- Intel Name:
- TAG_150_Modular_Loader_RAT_Campaign
- Date of Scan:
- 2025-11-29
- Impact:
- HIGH
- Summary:
- Researchers at Darktrace have identified an ongoing campaign operated by the TAG-150 group, a Malware-as-a-Service (MaaS) provider active since March 2025. TAG-150 employs two primary malware families, CastleLoader and CastleRAT, to deliver, stage, and execute malicious payloads across enterprise networks. CastleLoader functions as a modular loader, capable of downloading and executing secondary payloads via deceptive web domains and GitHub-hosted repositories, while CastleRAT operates as a remote access trojan enabling command execution, keylogging, and data theft. The campaign’s architecture demonstrates a deliberate separation between delivery and execution phases, enhancing operational resilience and evasion capabilities. Darktrace analysts observed TAG-150 leveraging multi-stage infection chains, including fake software update prompts and embedded shellcode, to compromise targets primarily within the United States.
Operation_Hanoi_Thief
MEDIUM
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_Hanoi_Thief
- Date of Scan:
- 2025-11-29
- Impact:
- MEDIUM
- Summary:
- Seqrite Labs has identified a focused spear-phishing campaign, dubbed Operation Hanoi Thief, targeting Vietnamese IT professionals and recruitment teams. The attackers deliver a multi-stage info-stealer known as LOTUSHARVEST through a malicious ZIP file containing a résumé-themed LNK shortcut embedded within a pseudo-polyglot lure that also functions as a batch script. Once triggered, the LNK leverages Windows LOLBINs and a scripted execution chain to drop a malicious DLL and enable DLL sideloading via a copied ctfmon.exe. The final payload, tracked as LOTUSHARVEST, focused on browser data theft rather than encryption or destruction. The malware includes anti-analysis logic such as debugger checks and fake exception handling to evade sandboxing and reverse engineering. It targets Chromium-based, harvesting history and saved credentials from local SQLite databases and decrypting them with Windows APIs. The stolen data is packaged together with host identifiers in JSON format and exfiltrated over port 443 to attacker-controlled infrastructure via standard WinINet APIs.
ScoringMathTea_RAT_Targets_UAV_Defense_Contractors
HIGH
+
—
- Intel Source:
- Polyswarm
- Intel Name:
- ScoringMathTea_RAT_Targets_UAV_Defense_Contractors
- Date of Scan:
- 2025-11-28
- Impact:
- HIGH
- Summary:
- PolySwarm researchers have uncovered that North Korea’s Lazarus Group is deploying a previously undocumented C++ remote-access trojan (RAT) dubbed ScoringMathTea as part of an updated phase of Operation DreamJob, internally referred to as “Gotta Fly.” This campaign is designed to exfiltrate sensitive UAV-related technology from defense contractors supporting Ukraine. ScoringMathTea is a fully in-memory RAT that employs dynamic API loading, encrypted strings, reflective DLL injection, and other stealth techniques to evade detection. The malware communicates with its C2 servers over HTTP/S using TEA/XTEA-CBC encryption, spoofed browser identifiers, and fake HTML error pages to mimic legitimate web traffic. The tool demonstrates strong operational discipline, featuring runtime-only decryption, custom obfuscation layers, and API hashing. Overall, the discovery highlights Lazarus Group’s continued investment in stealthy, espionage-focused tooling designed for high-value intelligence collection.
Fog_Ransomware_APT_Style_Double_Extortion
HIGH
+
—
- Intel Source:
- Picus Security
- Intel Name:
- Fog_Ransomware_APT_Style_Double_Extortion
- Date of Scan:
- 2025-11-28
- Impact:
- HIGH
- Summary:
- Researchers at Picus Security have identified Fog ransomware as a rapidly evolving cyber threat that blends ransomware operations with espionage-style tactics typically seen in advanced persistent threat (APT) groups. Emerging in early 2024, the group initially targeted education and recreation sectors in the United States before expanding to high-value financial institutions in Asia by mid-2025. Fog employs a multi-stage attack lifecycle that includes exploitation of remote access vulnerabilities, credential theft, and phishing campaigns delivering malicious PowerShell loaders. Following initial access, the operators conduct extensive network reconnaissance, privilege escalation through driver-level exploits, and lateral movement using legitimate administration tools.
Water_Gamayun_Campaign
HIGH
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Water_Gamayun_Campaign
- Date of Scan:
- 2025-11-28
- Impact:
- HIGH
- Summary:
- Zscaler has identified a new Water Gamayun campaign that leverages a compromised BELAY Solutions webpage and a newly registered domain to deliver a RAR archive masquerading as a PDF. The operators exploit the MSC EvilTwin vulnerability (CVE-2025-26633) to inject malicious code into mmc.exe, using the trusted Windows binary to execute multiple concealed PowerShell stages. The attack chain employs layered obfuscation, password-protected payloads, and C#-based process-hiding techniques, ultimately deploying multi-stage backdoors and stealers such as SilentPrism, DarkWisp, EncryptHub, and Rhadamantys. The final loader, ItunesC.exe, is designed for persistence, credential theft, and further payload delivery.
Tycoon_2FA_AiTM_Phishing_as_a_Service
HIGH
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Tycoon_2FA_AiTM_Phishing_as_a_Service
- Date of Scan:
- 2025-11-27
- Impact:
- HIGH
- Summary:
- Researchers at CYFIRMA have identified Tycoon 2FA as an advanced and rapidly expanding Phishing-as-a-Service (PhaaS) platform that leverages Adversary-in-the-Middle (AiTM) techniques to steal user credentials and bypass multi-factor authentication. First observed in 2023, Tycoon 2FA enables threat actors to intercept authentication tokens in real time by proxying victims’ login requests through attacker-controlled servers. The service offers subscription-based access to phishing kits that emulate legitimate login portals for Microsoft 365, Gmail, and Outlook, using CAPTCHA gates, realistic validation steps, and deceptive error screens to evade detection and prolong victim interaction. Tycoon 2FA incorporates JavaScript obfuscation, Unicode-based code hiding, and browser fingerprinting to complicate analysis and reduce detection by automated tools. Its infrastructure employs rotating subdomains, encrypted payloads, and cross-origin data exfiltration mechanisms, ensuring resilience against static blocking.
DPRK_Linked_Contagious_Interview_Campaign
HIGH
+
—
- Intel Source:
- Validin
- Intel Name:
- DPRK_Linked_Contagious_Interview_Campaign
- Date of Scan:
- 2025-11-27
- Impact:
- HIGH
- Summary:
- Researchers at Validin have uncovered a new DPRK-linked campaign known as Contagious Interview, which leverages a deceptive recruitment platform called Lenny to target U.S.-based AI researchers, developers, and cryptocurrency professionals. The threat actors created a polished SaaS-style hiring website that closely resembles a legitimate AI job portal, complete with realistic workflows and branding. When victims begin the interview process, the site executes a clipboard-hijacking script that injects a malicious PowerShell command masquerading as a routine Microsoft driver update. This triggers a multi-stage, ClickFix-style infection chain that retrieves and executes additional payloads through PowerShell and VBScript. The campaign is designed to harvest intelligence, gain unauthorized system access, and enable potential financial theft through compromised cryptocurrency platforms.
Black_Friday_eCommerce_Fraud_Surge
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Black_Friday_eCommerce_Fraud_Surge
- Date of Scan:
- 2025-11-26
- Impact:
- MEDIUM
- Summary:
- Researchers at Check Point have identified a major rise in fraudulent eCommerce activity ahead of Black Friday 2025, driven by a surge in fake shopping sites and brand impersonation schemes. Threat actors used bulk domain registration and templated website generation to create convincing storefronts designed to steal credentials and financial information. They found that roughly one in every eleven newly registered Black Friday–themed domains was malicious, often blending geographic and time-based keywords to appear legitimate while impersonating well-known retailers. Many sites copied logos, layouts, and product images, including stolen or watermarked photos, and several campaigns targeted consumers in specific regions and languages. Although no direct link to AI was confirmed, the team warned that generative AI could soon accelerate and refine these fraud operations. Analysts observed more than 1,500 new brand-impersonating domains in October 2025, reflecting a significant month-over-month increase.
Kimsuky_Health_Checkup_Email_Malware
HIGH
+
—
- Intel Source:
- Wezard4u
- Intel Name:
- Kimsuky_Health_Checkup_Email_Malware
- Date of Scan:
- 2025-11-26
- Impact:
- HIGH
- Summary:
- Researchers at Dreaming Bluebird have identified a new phishing campaign attributed to the North Korean threat group Kimsuky, which leverages a malicious email attachment disguised as a health checkup guide. The infection begins when recipients open a compressed archive containing a fake PDF file that actually executes a JavaScript payload through Windows Script Host. This script decodes Base64-encoded content and stages secondary components to the ProgramData directory before invoking PowerShell commands for further payload execution. The second-stage DLL is run through rundll32.exe to maintain stealth and persistence. The malware employs AES-CBC encryption and Base64 encoding to secure its command-and-control communications, which are crafted to appear as legitimate Chrome browser traffic.
Kimsuky_and_Lazarus_Coordinated_Campaign
HIGH
+
—
- Intel Source:
- CN-SEC
- Intel Name:
- Kimsuky_and_Lazarus_Coordinated_Campaign
- Date of Scan:
- 2025-11-26
- Impact:
- HIGH
- Summary:
- Purple Team researchers have uncovered that North Korean threat groups Kimsuky and Lazarus are conducting a coordinated campaign that blends espionage with financially motivated intrusions. Kimsuky initiates these operations using academic-themed phishing lures—such as fake conference invitations or collaboration requests which contain malicious HWP or MSC files that deliver the KLogEXE keylogger. This early-stage access allows the actors to profile victim systems and collect operational intelligence. Lazarus then leverages this intelligence to carry out follow-on attacks, deploying Node.js-based payloads, custom backdoors including FPSpy and InvisibleFerret, and exploiting the Windows zero-day CVE-2024-38193 to escalate privileges and steal cryptocurrency. Both groups operate on shared infrastructure, use domain-polling techniques to evade detection, and clean up artifacts to hide their tracks. Their joint campaign has targeted blockchain, diplomatic, and defense organizations in South Korea and across the international landscape.
South_Korea_Spear_Phishing_Surge
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- South_Korea_Spear_Phishing_Surge
- Date of Scan:
- 2025-11-25
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Emergency Response Center (ASEC) have identified a surge in Advanced Persistent Threat (APT) campaigns targeting South Korea during October 2025, primarily leveraging spear phishing as the initial intrusion method. The observed attacks distributed malicious LNK and JSE attachments masquerading as legitimate inter-Korean cooperation or government-related documents to compromise victims. Two primary delivery mechanisms were reported: Type A, which used compressed archives to deploy RAT malware such as XenoRAT and RokRAT via PowerShell and cloud storage APIs, and Type B, which leveraged malicious AutoIt scripts to maintain persistence and execute remote commands. These campaigns demonstrated advanced social engineering, often exploiting politically sensitive lures related to North Korea, human rights, and national policy, indicating an espionage-driven objective.
Xillen_Stealer_v5_AI_Evasive_Infostealer
HIGH
+
—
- Intel Source:
- Darktrace
- Intel Name:
- Xillen_Stealer_v5_AI_Evasive_Infostealer
- Date of Scan:
- 2025-11-25
- Impact:
- HIGH
- Summary:
- Researchers at Darktrace have identified a new version of the Python-based infostealer Xillen Stealer v5, which introduces advanced capabilities to evade AI-based detection systems. The malware targets sensitive data such as credentials, cryptocurrency wallets, and cloud configuration information across Windows, browser, and containerized environments. Xillen Stealer v5 incorporates multiple sophisticated modules, including a Rust-based polymorphic engine, behavioral mimicry, and container persistence to resist both static and behavioral detection. Its “AITargetDetection” module is designed to prioritize high-value victims—such as crypto traders, executives, and users in financially lucrative regions—using a rule-based targeting model.
Qilin_and_Omnipotent_Financial_Data_Breaches
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Qilin_and_Omnipotent_Financial_Data_Breaches
- Date of Scan:
- 2025-11-25
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Emergency Response Center (ASEC) have identified two major cyber incidents in October 2025 impacting the global financial sector, involving large-scale data breaches and ransomware attacks. The first case involves a DarkForum actor known as omnipotent, who leaked a massive customer database belonging to an Indian life insurance company, marking one of the largest data exposures in the country's insurance industry. The breach contained extensive personal and financial details, posing significant risks of identity theft and fraud. The second incident centers on the Qilin ransomware group, also known as The Gentlemen, which targeted a Singapore-based financial IT service provider that supports hundreds of banks and FinTech companies across multiple continents. The attackers exfiltrated sensitive corporate data and attempted to extort the victim by threatening to publish the stolen information.
An_Abuse_of_Velociraptor
HIGH
+
—
- Intel Source:
- Huntress
- Intel Name:
- An_Abuse_of_Velociraptor
- Date of Scan:
- 2025-11-24
- Impact:
- HIGH
- Summary:
- Huntress researchers have identified active exploitation of a recently patched remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS), which attackers used to gain initial access to enterprise environments. After compromise, the threat actors deployed Velociraptor, a legitimate open-source DFIR framework, to establish C2 across compromised endpoints. The attackers distributed malicious MSI packages hosted on s3[.]wasabisys[.]com, using them to install and configure Velociraptor agents that beaconed back to their C2 server. Once operational, the agents were used to run PowerShell payloads, execute remote commands, and perform extensive system and network reconnaissance.
Malicious_ConvertMate_PDF_Editor
HIGH
+
—
- Intel Source:
- Truesec
- Intel Name:
- Malicious_ConvertMate_PDF_Editor
- Date of Scan:
- 2025-11-24
- Impact:
- HIGH
- Summary:
- Truesec researchers have identified a significant increase in detections involving a trojanized version of the PDF editor “ConvertMate,” active since November 19, 2025. Although the installer initially appears legitimate and is downloaded from conmateapp.com, it exhibits clear malicious behavior after execution, including unauthorized command execution and the establishment of persistence mechanisms. Once launched, the program initiates outbound connections to several external domains and drops multiple artifacts—updating_files.zip, native.zip, UpdateRetriever.exe, and conmate_update.ps1—used to maintain ongoing communication with attacker infrastructure. Persistence is maintained through scheduled PowerShell scripts that trigger network callbacks every 24 hours. The binaries are signed by AMARYLLIS SIGNAL LTD, the same certificate authority associated to the earlier PDFEditor malware campaign, , indicating that this activity is likely an extension of that operation.
Pain_in_the_Mist_Navigating_DreamJob_Arsenal
HIGH
+
—
- Intel Source:
- Orange Cyberdefense
- Intel Name:
- Pain_in_the_Mist_Navigating_DreamJob_Arsenal
- Date of Scan:
- 2025-11-24
- Impact:
- HIGH
- Summary:
- Researchers at Orange Cyberdefense have observed that in August 2025, their CyberSOC and CSIRT teams investigated an intrusion attributed with medium confidence to UNC2970, a North Korean threat cluster associated with Operation DreamJob. The attack targeting an Asian subsidiary of a European manufacturing firm through a WhatsApp lure impersonating a project manager job offer. The intrusion began with a ZIP file containing a malicious PDF, a legitimate SumatraPDF executable, and a DLL that was sideloaded when the PDF opened, triggering a BURNBOOK loader variant that decrypted and ran the MISTPEN backdoor in memory. Operators stayed active for roughly six hours, using compromised infrastructure for command and control while performing Active Directory enumeration, pass-the-hash movement, and deploying secondary payloads that led to a data collection module. The BURNBOOK sample aligned with earlier variants seen in 2024, functioning as a dropper and decryptor, while the MISTPEN variant showed overlap with previously documented loaders, using encrypted HTTP(S) communication, modular execution via defined opcodes, and built-in sleep routines. Both malware families relied heavily on sideloading legitimate software to avoid detection.
ShadowPad_WSUS_RCE_Exploitation_Campaign
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- ShadowPad_WSUS_RCE_Exploitation_Campaign
- Date of Scan:
- 2025-11-24
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified an intrusion campaign leveraging a recently disclosed remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, to deliver the ShadowPad backdoor. The attackers exploited vulnerable WSUS servers to gain system-level access, employing PowerShell-based tools for initial compromise before deploying legitimate utilities such as certutil and curl to install the ShadowPad malware. ShadowPad, a modular backdoor linked to multiple Chinese state-sponsored APT groups, was executed through DLL sideloading to ensure stealth and persistence. The campaign demonstrates a rapid operational response to the public release of exploit code, indicating the threat actors’ advanced technical capability and resource coordination. Once established, ShadowPad enables remote command execution, data exfiltration, and long-term control of compromised systems.
Autumn_Dragon_Espionage_Campaign
HIGH
+
—
- Intel Source:
- CyberArmor
- Intel Name:
- Autumn_Dragon_Espionage_Campaign
- Date of Scan:
- 2025-11-23
- Impact:
- HIGH
- Summary:
- Researchers at CyberArmor have identified an ongoing espionage campaign called Autumn Dragon, attributed with medium confidence to a China-nexus APT active since early 2025. The operation targeted government and media organizations across Indonesia, Singapore, the Philippines, Cambodia, and Laos, focusing on intelligence tied to South China Sea developments. Initial access came through spearphishing attachments exploiting CVE-2025-8088 in WinRAR, using a malicious archive that deployed a batch dropper masquerading as a Windows Defender update script. This dropper retrieved staged payloads from cloud storage and executed them through PowerShell. The intrusion chain involved four stages: a WinRAR-based dropper, a Telegram-enabled backdoor using a modified libcef.dll sideloaded via a legitimate OBS executable, a loader abusing Adobe Creative Cloud binaries to decrypt and run shellcode, and a final HTTPS backdoor communicating with attacker infrastructure. Commands such as systeminfo, tasklist, schtasks, and screenshot indicated hands-on-keyboard activity. The campaign relied on DLL sideloading, legitimate application binaries, geo-restricted infrastructure, and Telegram traffic to avoid detection.
Gamaredon_Lazarus_Joint_Ops
HIGH
+
—
- Intel Source:
- Gen Threat Labs
- Intel Name:
- Gamaredon_Lazarus_Joint_Ops
- Date of Scan:
- 2025-11-23
- Impact:
- HIGH
- Summary:
- Researchers at Gen Threat Labs have identified rare evidence of cross-country collaboration between Russia’s Gamaredon and North Korea’s Lazarus advanced persistent threat (APT) groups. The investigation began after internal monitoring systems detected suspicious overlap between both actors’ activities through a shared command-and-control infrastructure. Subsequent analysis confirmed that a server previously attributed to Gamaredon was later found hosting a Lazarus malware variant, suggesting operational coordination or deliberate infrastructure sharing. This marks a potential first in observed Russian–North Korean cyber collaboration, signaling a deeper alignment of geopolitical and digital strategies. Gamaredon’s focus on espionage and disruption in support of Russian military objectives, combined with Lazarus’s financially motivated operations tied to North Korea’s economic agenda, underscores a fusion of capability and intent across both regimes.
Lynx_Ransomware_Intrusion_Campaign
HIGH
+
—
- Intel Source:
- DFIR
- Intel Name:
- Lynx_Ransomware_Intrusion_Campaign
- Date of Scan:
- 2025-11-22
- Impact:
- HIGH
- Summary:
- DFIR researchers identified a hands-on-keyboard intrusion that culminated in the deployment of Lynx ransomware. The attacker gained access using valid RDP credentials, conducted rapid host and domain enumeration, and leveraged a high-privilege domain controller account to escalate privileges. They established persistence by creating look-alike domain accounts and adding them to elevated groups and used common network-scanning and remote-execution tools for reconnaissance and lateral movement. Over several days, the actor mapped domain assets, hypervisors, and file shares before compressing and exfiltrating data to a temporary file-sharing service. They later returned from a second external access point, continued their discovery activities, and manipulated the victim’s backup infrastructure to hinder recovery. On the ninth day, the attacker deployed and executed the ransomware across backup and file servers using customized parameters.
Larva_24010_NKNshell_VPN_Malware_Campaign
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Larva_24010_NKNshell_VPN_Malware_Campaign
- Date of Scan:
- 2025-11-22
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a malware campaign in which the Larva-24010 threat actor distributed trojanized VPN installers through a compromised South Korean VPN provider’s website. When unsuspecting users download and execute the installer, the legitimate VPN setup runs alongside malicious PowerShell scripts that deploy multiple payloads, including NKNshell, MeshAgent, gs-netcat, and SQLMap. NKNshell, a Go-based backdoor, leverages the New Kind of Network (NKN) and MQTT protocols to enable encrypted peer-to-peer command and control communications, allowing remote execution, data exfiltration, DDoS operations, and system manipulation.
Lokibot_Credential_Stealer
MEDIUM
+
—
- Intel Source:
- Splunk
- Intel Name:
- Lokibot_Credential_Stealer
- Date of Scan:
- 2025-11-21
- Impact:
- MEDIUM
- Summary:
- Splunk researchers have identified a new variant of a .NET-based steganographic loader used to deliver the Lokibot credential stealer. In this campaign, attackers embed two intermediate payloads within BMP and PNG images and decrypt them directly in memory. The loader employs several evasion techniques—including delayed execution, process injection, token-privilege manipulation, and scheduled-task persistence to avoid detection by basic sandboxes. Once executed, the malware collects system information, establishes communication with its C2 server, and steals credentials from web browsers, email clients, FTP applications, cryptocurrency wallets, and password managers. The report details the credential-stealing logic, Outlook-related registry queries, and the retrieval of additional payloads into the system’s temporary directory. Although the affected regions and industries are not specified, the activity clearly targets Windows environments, resulting in credential theft, potential account compromise, and further malware deployment.
MuddyWater_Phishing_Campaign_Uses_Custom_Backdoors
HIGH
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- MuddyWater_Phishing_Campaign_Uses_Custom_Backdoors
- Date of Scan:
- 2025-11-21
- Impact:
- HIGH
- Summary:
- Researchers at the 360 Threat Intelligence Center have identified a new MuddyWater phishing campaign deploying custom backdoors through disguised PDF and DOC attachments. MuddyWater, also known as Static Kitten or MERCURY, is an Iranian state-linked APT active since 2017, known for espionage against government, military, telecommunications, and energy sectors across the Middle East, Europe, and North America. The report details how the group leveraged executable files masked as legitimate documents to deliver malicious payloads, including the UDPGangster and Phoenix backdoors. These implants enable remote command execution, file transfer, and persistence, indicating a continued emphasis on data theft and system control. Researchers note that the group has shifted away from remote management tools in favor of self-developed malware frameworks, showing an evolution toward stealthier and more controlled operations.
PlushDaemon_Compromise_Network_Device_through_AitM
MEDIUM
+
—
- Intel Source:
- ESET
- Intel Name:
- PlushDaemon_Compromise_Network_Device_through_AitM
- Date of Scan:
- 2025-11-21
- Impact:
- MEDIUM
- Summary:
- Researchers at ESET uncovered a long-running cyber-espionage operation attributed to the China-aligned PlushDaemon group, which compromises network devices to hijack software updates and infect Windows systems. The attackers break into routers and deploy a previously unknown implant called EdgeStepper, which covertly intercepts DNS traffic and redirects software update requests to attacker-controlled servers. When victims attempt to download updates for popular Chinese applications, they instead receive a malicious Windows loader LittleDaemon. This loader retrieves a downloader DaemonicLogistics, which ultimately installs a full-featured backdoor known as SlowStepper to maintain long-term access. The operation demonstrates advanced manipulation of network traffic, including tampering with HTTP requests and adding packet-filtering rules directly on compromised routers. Active for several years across multiple regions, the campaign reflects a deliberate, targeted, and persistent intelligence-gathering effort rather than financially motivated attacks.
Kimsuky_Wedding_Photo_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Wezard4u
- Intel Name:
- Kimsuky_Wedding_Photo_Malware_Campaign
- Date of Scan:
- 2025-11-21
- Impact:
- MEDIUM
- Summary:
- Researchers at Dreaming Bluebird have identified a new malware campaign attributed to the North Korean threat actor Kimsuky, leveraging compromised wedding photo retouching companies to distribute malicious JavaScript payloads. The operation involves sending infected project files disguised as legitimate photo editing content to unsuspecting customers or partner studios. Upon execution, the malicious script initiates a multi-stage decoding sequence that abuses built-in Windows utilities such as certutil.exe, PowerShell, and regsvr32.exe, allowing the attackers to decode and execute hidden payloads without dropping visible executables. This living-off-the-land (LOLBin) technique helps the attackers evade antivirus detection and blend into normal system activity. The analysis indicates that the malware uses Base64-encoded payloads that decode into executable components, which are then loaded dynamically through the system’s scripting engine.
NotDoor_Malware_Exploits_Outlook_for_C2_and_Persistence
HIGH
+
—
- Intel Source:
- Splunk
- Intel Name:
- NotDoor_Malware_Exploits_Outlook_for_C2_and_Persistence
- Date of Scan:
- 2025-11-20
- Impact:
- HIGH
- Summary:
- Researchers at Splunk Threat Research Team have analyzed the "NotDoor," a backdoor malware that exploits malicious Outlook macros for persistence and command execution. Initially attributed to APT28 (Fancy Bear) by Lab52 (S2 Grupo), NotDoor operates by sideloading a compromised SSPICLI.dll via a legitimate OneDrive.exe. Upon execution, the malware stages files in C:\ProgramData and deploys a VBA macro payload (testtemp.ini), which is then copied to %APPDATA%\Microsoft\Outlook\VbaProject.OTM. NotDoor activates Outlook macros, disables security prompts, and alters registry settings (LoadMacroProviderOnBoot, Security\Level, PONT_STRING) to ensure stealth and persistence. The malware monitors incoming emails, executing embedded commands for exfiltration and C2 communication through Outlook.
The_Gentlemen_Ransomware
HIGH
+
—
- Intel Source:
- Cybereason
- Intel Name:
- The_Gentlemen_Ransomware
- Date of Scan:
- 2025-11-20
- Impact:
- HIGH
- Summary:
- Cybereason researchers have uncovered The Gentlemen, a ransomware group active since mid-2025 and operating through a Ransomware-as-a-Service model. The group uses dual extortion, stealing and encrypting data to pressure victims. Its ransomware targets Windows, Linux, and ESXi systems, supports automatic restarts for persistence, and can spread across networks using native tools. It disables security controls, alters firewall settings, and performs anti-forensics to obstruct response. The ESXi variant is engineered for fast, concurrent attacks across multiple hosts and shared storage. The toolkit includes adjustable encryption speeds, selective directory targeting, and a “wipe-after” feature that further complicates recovery.
Safery_Wallet_Chrome_Extension_Seed_Theft
HIGH
+
—
- Intel Source:
- Socket
- Intel Name:
- Safery_Wallet_Chrome_Extension_Seed_Theft
- Date of Scan:
- 2025-11-20
- Impact:
- HIGH
- Summary:
- Researchers at Socket’s Threat Research Team identified a malicious Chrome browser extension masquerading as a legitimate Ethereum wallet named Safery: Ethereum Wallet. The extension was distributed through the Chrome Web Store and designed to harvest users’ cryptocurrency seed phrases. Once a user created or imported a wallet, the malware covertly encoded the mnemonic into blockchain-style data and transmitted it through public Sui network transactions. This innovative technique enabled the theft of private keys and wallet recovery phrases without using traditional command-and-control infrastructure, allowing the operation to blend seamlessly with normal blockchain activity. The extension presented a polished interface that mimicked legitimate wallet behavior, including balance queries and transaction displays, to build user trust and avoid suspicion. Its code also logged user keystrokes and exposed sensitive wallet data to scripts running in the browser.
Sandworm_Emulation_Findings
HIGH
+
—
- Intel Source:
- AttackIQ
- Intel Name:
- Sandworm_Emulation_Findings
- Date of Scan:
- 2025-11-20
- Impact:
- HIGH
- Summary:
- Researchers at AttackIQ have analyzed an emulation of Sandworm (APT44), the GRU-linked group known for destructive operations against Ukraine, focusing on two Ukrainian organizations likely compromised through exposed web services. The exercise replicated the use of the LocalOlive webshell along with extensive living-off-the-land activity for reconnaissance, persistence, and lateral movement. The assessment points to an espionage-driven operation with possible destructive intent, consistent with Sandworm’s history. Native tools such as schtasks, rundll32.exe, PowerShell, net, systeminfo, and tasklist were used for credential access, persistence, and evasion, while malicious executables like system.exe, service.exe, and nano.exe were deployed to test EDR visibility. The emulation also modeled credential dumping from LSASS and registry hives, firewall changes to allow SSH and RDP, and efforts to exclude processes from Microsoft Defender, reflecting a campaign aimed at durable access and broad network movement.
Fileless_Python_RAT_Using_Trusted_Binary
HIGH
+
—
- Intel Source:
- K7 Security Labs
- Intel Name:
- Fileless_Python_RAT_Using_Trusted_Binary
- Date of Scan:
- 2025-11-20
- Impact:
- HIGH
- Summary:
- Researchers at K7 Security Labs have identified a sophisticated Python-based remote access trojan (RAT) that conceals its compiled payload in memory and abuses the legitimate Microsoft binary cvtres.exe for stealthy command-and-control communication. The threat employs a multi-stage delivery chain beginning with an encrypted dropper that reconstructs and executes a batch script to download disguised archive files from remote storage. These archives contain components masquerading as legitimate Windows files, including a fake ntoskrnl.exe acting as a Python runtime, and an obfuscated Python payload blob. Once executed, the loader performs several layers of decoding and decompression to rebuild the actual Python bytecode, which is then executed entirely in memory.
Lumma_Stealer_Returns_with_Smarter_Fingerprinting
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Lumma_Stealer_Returns_with_Smarter_Fingerprinting
- Date of Scan:
- 2025-11-19
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have observed a resurgence of the Lumma Stealer operation since late October 2025, after its operators were exposed. The latest version introduces an enhanced browser-fingerprinting capability while maintaining its established C2 infrastructure. Once executed, the malware injects itself into Chromium-based browsers to hijack user sessions and conceal its activity within normal web traffic. It initially communicates with a dedicated fingerprinting server that issues a unique device ID, authentication token, and browser identifier before resuming standard C2 communication. Lumma Stealer establishes outbound connections through trusted processes, enabling it to execute commands, exfiltrate data, and deliver additional payloads. The updated fingerprinting module collects extensive system information, including graphics, audio, WebRTC, fonts, screen details, and network characteristics and serializes the results into JSON format for POST-based exfiltration.
Malicious_Typosquatted_NPM_Package
MEDIUM
+
—
- Intel Source:
- Veracode
- Intel Name:
- Malicious_Typosquatted_NPM_Package
- Date of Scan:
- 2025-11-19
- Impact:
- MEDIUM
- Summary:
- Veracode researchers have discovered a malicious npm package impersonating a legitimate GitHub Actions artifact library. The package is a typosquatted variant designed to deceive developers who accidentally mistype the legitimate package name. Upon installation, it executes a post-install script that downloads and runs an obfuscated shell script responsible for executing additional code. The malware specifically targets repositories owned by a particular organization, indicating a focused and ongoing supply-chain attack. It collects sensitive information from the build environment, including tokens and environment variables, encrypts the data, and exfiltrates it to the attacker’s server. The script incorporates time-based execution checks to evade detection and re-executes itself to maintain persistence. Multiple malicious versions are published before removal, while the legitimate package remains unaffected.
RONINGLOADER_DragonBreath_Loader_Evolves
HIGH
+
—
- Intel Source:
- Elastic Security Labs
- Intel Name:
- RONINGLOADER_DragonBreath_Loader_Evolves
- Date of Scan:
- 2025-11-19
- Impact:
- HIGH
- Summary:
- Researchers at Elastic Security Labs have identified RONINGLOADER, a new multi-stage loader leveraged by the DragonBreath threat group to deliver an updated variant of the gh0st RAT. The campaign demonstrates significant advances in defense evasion, primarily through the abuse of Protected Process Light (PPL) to disable Windows Defender and neutralize popular Chinese security products such as Qihoo 360, Huorong, and Kingsoft. The operation employs signed drivers, custom WDAC policies, and phantom DLL injection to terminate antivirus processes and maintain stealth. Each loader stage escalates privileges, injects shellcode, and sets persistence by masquerading as legitimate Windows services like TrustedInstaller and MicrosoftSoftwareShadowCopy4Provider. The final payload incorporates clipboard hijacking, keylogging, and encrypted command-and-control communication over XOR-encoded TCP channels.
New_Phishing_Kit_Targets_Aruba_Users
MEDIUM
+
—
- Intel Source:
- Group IB
- Intel Name:
- New_Phishing_Kit_Targets_Aruba_Users
- Date of Scan:
- 2025-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have uncovered a highly organized and automated phishing kit targeting customers of Aruba.it, a leading Italian IT and web services provider with over 5.4 million customers. The kit operates through a four-stage process that starts with a fake CAPTCHA page to appear legitimate, then steals login through a replica of Aruba’s website. Afterward, it tricks victims into entering their payment card details on a fake renewal page and finally captures one-time passwords (OTPs) or 3D Secure codes to enable real-time account takeovers. The stolen information is exfiltrated to Telegram channels controlled by the attackers, with a local backup saved on their own server. The phishing pages enhance credibility by automatically pre-filling the victim’s email address and employ anti-bot filters to avoid detection.
Yurei_Ransomware_Go_based_Hybrid_Encryptor
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Yurei_Ransomware_Go_based_Hybrid_Encryptor
- Date of Scan:
- 2025-11-18
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab have identified a new ransomware strain named Yurei, first observed in September 2025, which employs a Go-based builder and a hybrid encryption mechanism combining ChaCha20-Poly1305 and secp256k1-ECIES. The group operates a standard double-extortion model, encrypting corporate data, deleting backups, and demanding ransom through a dedicated dark web negotiation site. Yurei targets victims in Sri Lanka and Nigeria, primarily within the transportation, IT software, marketing, and food and beverage industries. The malware’s encryption process lacks common initialization routines, instead directly enumerating drives and encrypting files while excluding system directories and key extensions. Each file contains an embedded 32-byte encryption key and 24-byte nonce, both protected with ECIES, effectively preventing recovery without the attacker’s private key.
Kraken_Ransomware
HIGH
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Kraken_Ransomware
- Date of Scan:
- 2025-11-18
- Impact:
- HIGH
- Summary:
- Cisco Talos researchers have identified a new Russian-speaking ransomware group named Kraken that emerged in 2025 from the remnants of the HelloKitty cartel. The group conducts double-extortion attacks targeting Windows, Linux, and VMware ESXi environments. In one observed incident, attackers gained initial access through an exposed SMB service, stole administrator credentials, and later re-entered the network via RDP to exfiltrate data and deploy ransomware. They maintained persistence and moved data using reverse tunnels and SSHFS before initiating encryption. The Windows variant disables system protections, deletes backups, incorporates anti-analysis mechanisms, and optimizes encryption performance, while the Linux/ESXi version can terminate virtual machines, self-delete, and erase forensic . The group demands ransom up to $1 million in cryptocurrency, accompanied by ransom notes titled “readme_you_ws_hacked.txt” that promise decryption and data confidentiality upon payment. Kraken also operates a data leak site and promotes the “Last Haven Board,” an underground forum designed for cybercriminal collaboration.
DarkComet_RAT_Fake_Bitcoin_Wallet_Lure
MEDIUM
+
—
- Intel Source:
- Point Wild
- Intel Name:
- DarkComet_RAT_Fake_Bitcoin_Wallet_Lure
- Date of Scan:
- 2025-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Point Wild have identified a malicious campaign in which threat actors are distributing the DarkComet Remote Access Trojan (RAT) through a fake cryptocurrency wallet application named “94k BTC Wallet.” The campaign exploits the popularity of cryptocurrency tools to deceive users into executing a Trojanized file that installs DarkComet on Windows systems. Once executed, the malware establishes persistence through registry autorun entries and masquerades as a legitimate system process to evade detection. Analysis revealed that DarkComet performs credential theft, keylogging, and command execution while maintaining a hidden communication channel with its remote operator. The attackers use UPX packing and compressed RAR archives to obfuscate the payload and increase infection success.
Fake_SteamCleaner_Used_for_Malware_Delivery
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Fake_SteamCleaner_Used_for_Malware_Delivery
- Date of Scan:
- 2025-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers at ASEC have identified a malicious version of the open-source SteamCleaner tool being distributed as a fake cleanup tool for the Steam gaming platform. The attackers repackaged the legitimate installer with embedded malware while retaining its valid code signature to appear legitimate. Upon execution, the program silently runs PowerShell commands to install the Node runtime, establish persistence via scheduled tasks, and retrieve two JavaScript payloads that enable remote command execution. These payloads gather system information, communicate with attacker-controlled servers, and can download additional malicious components. The trojanized SteamCleaner is being distributed through multiple channels, including pirated software websites and GitHub repositories, increasing its reach.
Maverick_and_Coyote_Targeting_Brazilian_Banking_Sector
MEDIUM
+
—
- Intel Source:
- CyberProof
- Intel Name:
- Maverick_and_Coyote_Targeting_Brazilian_Banking_Sector
- Date of Scan:
- 2025-11-16
- Impact:
- MEDIUM
- Summary:
- Researchers at CyberProof have identified the linkage between the threat actor Maverick to the Brazilian banking trojan family Coyote, based on similar coding patterns and attack methods. The campaign begins with a malicious file distributed via WhatsApp that executes a PowerShell-based downloader, followed by a .NET loader to deploy additional payloads. The malware disables security controls, establishes C2 communication, and achieves persistence by hijacking the local WhatsApp application and placing a batch file in the startup folder. It is designed to operate only on systems located in Brazil, self-terminating on elsewhere. Once active, the malware monitors browser processes and deploys a banking module targeting Brazilian financial websites. This module decrypts a list of targeted banking URLs using AES encryption and compares them against active browser tabs to harvest login credentials. The primary objective of the operation is financial fraud and credential theft.
MastaStealer_Exploits_Windows_LNK
MEDIUM
+
—
- Intel Source:
- Maurice Fielenbach (LinkedIn)
- Intel Name:
- MastaStealer_Exploits_Windows_LNK
- Date of Scan:
- 2025-11-16
- Impact:
- MEDIUM
- Summary:
- Researchers have uncovered a MastaStealer campaign that leverages Windows LNK files as an initial infection vector to deploy a C2 beacon and disable Windows Defender protections. The attack begins with a phishing email delivering a ZIP archive containing a malicious LNK file. When executed, it quietly opens the anydesk[.]com website in Microsoft Edge to appear legitimate, while in the background it downloads a malicious MSI installer from a typosquatted domain. If the installer is executed with admin rights, it extracts a payload called dwm.exe into the user’s local system and runs a PowerShell command that adds the malware to Windows Defender’s exclusion list, effectively concealing it from detection. The malware then establishes communication with attacker-controlled C2 servers using randomized domains to evade network-based detection.
ValleyRAT_Targets_Chinese_Language_Users
HIGH
+
—
- Intel Source:
- Picus Security
- Intel Name:
- ValleyRAT_Targets_Chinese_Language_Users
- Date of Scan:
- 2025-11-15
- Impact:
- HIGH
- Summary:
- Researchers at Picus Security have identified ValleyRAT, a multi-stage Windows Remote Access Trojan first seen in early 2023 and deployed in targeted attacks against Chinese-language users and organizations, the chain includes a downloader, loader, injector, and an in-memory RAT that abuses MSBuild.exe for stealth, with loader components carrying 3DES-encrypted embedded binaries decrypted only in memory, and regionally selective logic that self-terminates if Chinese apps like WeChat or DingTalk are absent from the registry. The malware aggressively escalates privileges via multiple UAC bypasses (Fodhelper.exe, CompMgmtLauncher.exe, Event Viewer registry hijacks), manipulates access tokens to obtain SeDebugPrivilege, and can terminate or tamper with processes of AV vendors (notably Qihoo 360, Tencent, and Kingsoft). It injects PowerShell to exclude its folders from Windows Defender, achieves persistence through Run keys and Startup copies, performs sandbox/VM detection, and uses dynamic beaconing after connectivity checks.
Curly_COMrades_Campaign
MEDIUM
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- Curly_COMrades_Campaign
- Date of Scan:
- 2025-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Bitdefender uncovered a new campaign called Curly COMrades, where attackers hide their tools inside a Hyper-V virtual machine on compromised Windows 10 systems to stay undetected and maintain long-term access. The VM is installed and launched through PowerShell and disguised as Windows’ WSL environment, runs a Alpine Linux system containing two implants — CurlyShell and CurlCat. These tools communicate with remote servers using SSH tunnels and HTTPS channels, keeping most malicious activity isolated from the host system and out of reach of traditional endpoint defenses. Attackers further enhance stealth through techniques like Kerberos ticket injection, SMB-based lateral movement, and Group Policy scripts that recreate accounts and redeploy tools if removed.
Danabot_v669_Resurgence_Post_Endgame_Takedown
MEDIUM
+
—
- Intel Source:
- Zscaler Threatlabz
- Intel Name:
- Danabot_v669_Resurgence_Post_Endgame_Takedown
- Date of Scan:
- 2025-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler ThreatLabz have identified the reemergence of the Danabot banking trojan with version 669, marking its return after a six-month operational hiatus following the Operation Endgame law enforcement actions in May 2025. The latest activity demonstrates Danabot’s continued evolution and operational resilience, as the threat actors behind it have rebuilt their command-and-control infrastructure to restore functionality. Danabot remains a sophisticated modular malware family focused on credential theft, financial fraud, and cryptocurrency exfiltration. Its new infrastructure includes both clearnet and Tor-based components, indicating an emphasis on redundancy and evasion. The use of Tor suggests enhanced stealth and resilience against takedown efforts, while the continued targeting of cryptocurrency assets reflects the operators’ shift toward more direct financial monetization.
Formbook_Loader_via_Multi_Script_Chain
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Formbook_Loader_via_Multi_Script_Chain
- Date of Scan:
- 2025-11-14
- Impact:
- MEDIUM
- Summary:
- Researchers at the SANS Internet Storm Center have identified a new Formbook delivery campaign that leverages multiple obfuscated scripting layers to evade detection and deliver its payload. The infection begins with a phishing email containing a ZIP archive that includes a Visual Basic Script, which initiates execution with an artificial delay to bypass automated analysis systems. The script dynamically constructs and launches an obfuscated PowerShell command that decodes further instructions and retrieves a secondary payload from a remote source. This second-stage PowerShell component performs additional deobfuscation routines and executes a binary injector responsible for loading the Formbook information stealer into memory via a legitimate Windows process.
Qilin_Ransomware_Surge_Global_Escalation_in_Oct_2025
HIGH
+
—
- Intel Source:
- Cyble
- Intel Name:
- Qilin_Ransomware_Surge_Global_Escalation_in_Oct_2025
- Date of Scan:
- 2025-11-14
- Impact:
- HIGH
- Summary:
- Researchers at Cyble have identified a significant 30% surge in ransomware attacks during October 2025, marking one of the most active periods of the year and the second-highest total on record. The Qilin ransomware group led global activity, claiming 210 victims—three times more than the next most active group, Akira—while new entrants such as Sinobi and Medusa contributed to the rapidly evolving threat landscape. The report highlights a rise in exploit weaponization and advanced intrusion methods, including exploitation of Oracle E-Business and GoAnywhere MFT vulnerabilities, alongside the abuse of legitimate remote management tools and SQL-based lateral movement. Critical infrastructure and supply chain entities were notably impacted, with 31 and 26 incidents respectively. The United States remained the most targeted geography, followed by Canada, France, Germany, and Australia, while the construction, professional services, healthcare, and IT sectors experienced the highest attack volumes.
macOS_Malware_Distributes_via_AppleScript
MEDIUM
+
—
- Intel Source:
- Pepe Berba
- Intel Name:
- macOS_Malware_Distributes_via_AppleScript
- Date of Scan:
- 2025-11-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Pepe Berba have identified a surge in macOS malware campaigns that leverages AppleScript files to deceive users into manually executing malicious code through the Script Editor. These attacks are distributed via ZIP or DMG archives containing fake documents or bogus app updates, often disguised with convincing custom icons resembling Word or PowerPoint files, along with instructions that urge victim to initiate execution. This technique has been linked to both commodity stealers such as MacSync and Odyssey, as well as activity associated with the BlueNoroff APT groups. Some campaigns include additional droppers such as obfuscated AppleScripts that download and execute more payloads. The lures commonly impersonate enterprise tools such as Teams, Zoom, or Chrome to increase user engagement.
PatoRAT_via_LogMeIn_and_PDQ_Abuse
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- PatoRAT_via_LogMeIn_and_PDQ_Abuse
- Date of Scan:
- 2025-11-13
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a campaign distributing the PatoRAT backdoor through the abuse of legitimate Remote Monitoring and Management (RMM) tools LogMeIn Resolve and PDQ Connect. Threat actors disguise the malicious installers as popular freeware utilities such as Notepad++ or 7-Zip, luring users into downloading fake versions from deceptive websites. Once installed, the trojanized LogMeIn instance allows attackers to execute PowerShell commands and deploy PatoRAT, a Delphi-based remote access tool capable of system control, information theft, and surveillance. The malware’s code includes Portuguese-language strings and encrypted configuration data, suggesting a Portuguese-speaking origin. PatoRAT can gather system identifiers, operating system details, memory usage, and active windows, transmitting this data to its command-and-control infrastructure. It also supports extensive commands including remote desktop, keylogging, clipboard monitoring, and file manipulation.
A_Surge_in_AI_Enabled_Malware
MEDIUM
+
—
- Intel Source:
- PolySwarm
- Intel Name:
- A_Surge_in_AI_Enabled_Malware
- Date of Scan:
- 2025-11-13
- Impact:
- MEDIUM
- Summary:
- Researchers at PolySwarm have uncovered a new wave of malware that actively leverages large language models (LLMs) at runtime to generate or modify its own code and obfuscate payloads. This marks a significant shift from using AI merely as a development aid to integrating it directly into the attack process. The identified families include PROMPTFLUX, which hides and regenerates itself while spreading through USB drives; PROMPTSTEAL, which masquerades as image-editing software but steals data using LLM-generated commands; PROMPTLOCK, a ransomware proof-of-concept capable of encrypting and exfiltrating data across both Windows and Linux systems; QUIETVAULT, which targets developer credentials such as GitHub and NPM tokens and uploads them to public repositories; and FRUITSHELL, a PowerShell-based reverse shell designed to evade AI-driven security analysis. Some activity has been linked to APT28, with observed victims including Ukrainian organizations and developer environments.
SteamCleaner_Backdoor_Signed_Proxyware_Loader
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- SteamCleaner_Backdoor_Signed_Proxyware_Loader
- Date of Scan:
- 2025-11-12
- Impact:
- MEDIUM
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a new malware campaign in which threat actors distribute a modified version of the open-source SteamCleaner utility to deliver a backdoor payload. The attackers obtained the legitimate SteamCleaner source code, inserted malicious components, and recompiled it using InnoSetup with a valid digital signature issued to a legitimate company, allowing the malware to appear authentic and evade trust-based defenses. Once executed, the malware installs a Node.js-based backdoor that communicates periodically with remote command servers to receive and execute attacker-controlled commands. It also registers scheduled tasks to ensure persistence and can download and run additional payloads.
Remcos_RAT_GLS_ClickFix_Malspam_in_Italy
MEDIUM
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Remcos_RAT_GLS_ClickFix_Malspam_in_Italy
- Date of Scan:
- 2025-11-11
- Impact:
- MEDIUM
- Summary:
- Researchers at CERT-AGID have identified a large-scale malspam campaign in Italy that distributes the Remcos remote access trojan (RAT) through a deceptive GLS-branded ClickFix lure. The campaign impersonates courier notifications from GLS to trick recipients into completing a supposed delivery form attached to the email. The attachment, disguised as an XHTML document, contains obfuscated JavaScript that redirects users to a counterfeit GLS web page hosted on a legitimate cloud platform. There, victims are socially engineered into executing specific terminal commands, initiating the manual download of a malicious payload. Analysis shows that this technique, known as ClickFix, leverages user interaction to bypass security tools by avoiding automated code execution. The downloaded payload ultimately delivers a Remcos RAT binary configured for remote control, data exfiltration, and deployment of secondary payloads.
Exploitation_of_SimpleHelp_RMM
HIGH
+
—
- Intel Source:
- Zensec
- Intel Name:
- Exploitation_of_SimpleHelp_RMM
- Date of Scan:
- 2025-11-11
- Impact:
- HIGH
- Summary:
- Zensec researchers uncovered two major ransomware campaigns that exploited critical vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in the SimpleHelp Remote Monitoring and Management (RMM) platform. These flaws enabled threat actors, including the Medusa and DragonForce ransomware groups, to compromise supplier-controlled RMM servers running with SYSTEM-level privileges, granting them unrestricted access to customer networks. Medusa leveraged PDQ Deploy and PowerShell commands to disable security defenses, conduct network reconnaissance, and deploy ransomware payloads named Gaze.exe, while exfiltrating data via RClone prior to encryption. In contrast, DragonForce utilized similar access methods but relied on Restic for data exfiltration and Get-Veeam-Creds.ps1 scripts to extract backup credentials. Both groups deployed ransomware across victim environments, encrypting systems and leaving ransom notes “!!!READ_ME_MEDUSA!!!.txt” for Medusa and “readme.txt” for DragonForce, which contained TOX chat contact details.
Lazarus_New_Comebacker_Espionage_Variant
HIGH
+
—
- Intel Source:
- Enki WhiteHat
- Intel Name:
- Lazarus_New_Comebacker_Espionage_Variant
- Date of Scan:
- 2025-11-11
- Impact:
- HIGH
- Summary:
- Researchers at Enki WhiteHat have identified a new variant of the Comebacker malware being used by the Lazarus Group in an ongoing cyber-espionage campaign targeting aerospace and defense organizations. The activity demonstrates a significant evolution from prior Comebacker versions first documented in 2021, incorporating multi-stage loaders, in-memory execution, and advanced encryption mechanisms designed to hinder analysis and detection. The initial infection vector involves malicious Word documents themed around defense research institutions and aerospace contractors, used to deliver a downloader that decrypts and executes additional payloads.
Phishing_Campaign_Steals_Banking_Credentials
MEDIUM
+
—
- Intel Source:
- Cert-AGID
- Intel Name:
- Phishing_Campaign_Steals_Banking_Credentials
- Date of Scan:
- 2025-11-10
- Impact:
- MEDIUM
- Summary:
- CERT-AGID has identified a new phishing campaign that illicitly uses the name and logo of the Bank of Italy to deceive users. The threat actors have created a fraudulent website posing as a legitimate platform for updating personal information under the guise of complying with new anti-money laundering regulations. Users are prompted to select their bank from a list of well-known Italian institutions, after which they are directed to counterfeit login pages. The site then prompts victims to enter sensitive information such as their full name, mobile number, banking credentials, and OTPs, allowing the attackers to steal both personal and financial data.
SleepyDuck_Malware_Targets_Developer_IDEs
LOW
+
—
- Intel Source:
- Secure Annex
- Intel Name:
- SleepyDuck_Malware_Targets_Developer_IDEs
- Date of Scan:
- 2025-11-10
- Impact:
- LOW
- Summary:
- Researchers at Secure Annex have uncovered SleepyDuck, a malicious IDE extension distributed through the Open VSX marketplace and used by editors such as Cursor and Windsurf. Disguised as a legitimate Solidity language extension (juan-bianco.solidity-vlang), it accumulated over 14,000 downloads before a malicious update (v0.0.8) introduced a remote access trojan (RAT) payload. The RAT activates when a .sol file is opened or a new editor window launches, collecting host data—including hostname, username, MAC address, and timezone—and beaconing to a C2 server at every 30 seconds. If the C2 domain becomes unavailable, SleepyDuck fetches updated commands via a smart contract on the Ethereum blockchain, ensuring resilient blockchain-based C2 reconfiguration. The malware employs sandbox evasion using vm.createContext(), enforces single execution through a lock file, and uses light obfuscation with a fake webpack.init() routine, while maintaining persistence via decentralized infrastructure. C2 management is linked to an Ethereum contract, which records configuration updates and emergency commands. This campaign continues a pattern of Solidity-themed malware uploads to developer marketplaces since July 2025, associated with the same pseudonymous publisher (hailywels39-art), highlighting an emerging supply chain threat targeting developer ecosystems and exposing potential for credential theft and IDE compromise.
A_Two_Stage_Info_Stealer
MEDIUM
+
—
- Intel Source:
- Hybrid Analysis
- Intel Name:
- A_Two_Stage_Info_Stealer
- Date of Scan:
- 2025-11-10
- Impact:
- MEDIUM
- Summary:
- Hybrid Analysis researchers uncovered a two-part information-stealing operation consisting of an injector named LeakyInjector and a stealer payload called LeakyStealer. The duo designed to harvest cryptocurrency wallet data and browser artifacts before beaconing and exfiltrating the collected information to an attacker C2. The injector performs process injection into explorer.exe and sets persistence via a Run-key value, establishing a resident foothold. The stealer collects host identifiers such as hostname, username, domain and OS version, then composes a registration packet for the C2. It specifically hunts for multiple crypto-wallet browser extensions, and sends browser history files to the server. The C2 protocol supports tasking that includes downloading and executing additional files and running arbitrary Windows commands with output returned to the operator.
CHAMELEON_NET_Spreads_FormBook_via_DarkTortilla
HIGH
+
—
- Intel Source:
- Securonix Threat Research
- Intel Name:
- CHAMELEON_NET_Spreads_FormBook_via_DarkTortilla
- Date of Scan:
- 2025-11-09
- Impact:
- HIGH
- Summary:
- Researchers at Securonix Threat Research have identified CHAMELEON#NET, a sophisticated malspam campaign that delivers the FormBook RAT via a multi-stage DarkTortilla loader, targeting phishing emails impersonating national social security institutions lure victims to a fake webmail portal where they download an archive (81__POP1.BZ2) containing a heavily obfuscated JavaScript dropper (POP2.js) that spawns Base64-encoded payloads (adobe.js, svchost.js) which install a VB.NET loader (QNaZg.exe) — a DarkTortilla variant that decrypts an embedded DLL with a custom XOR cipher and reflectively loads it in memory via AppDomain.Load(byte[]) to avoid disk-based detection, the decrypted Segwenservice.dll is identified as FormBook RAT, configured through AES-encrypted resources to manage persistence, anti-VM checks, and credential theft, establishing persistence via registry Run keys and AppData startup implants while masquerading as word.exe and disabling Windows Defender, performing keylogging and data exfiltration to a DuckDNS C2 at, and demonstrating extensive fileless reflective loading, multi-layer obfuscation, and time-based sandbox-evasion using ping delays.
DragonForce_Rebrands_as_Expanding_Ransomware_Cartel
HIGH
+
—
- Intel Source:
- Acronis
- Intel Name:
- DragonForce_Rebrands_as_Expanding_Ransomware_Cartel
- Date of Scan:
- 2025-11-09
- Impact:
- HIGH
- Summary:
- Researchers at Acronis Threat Research Unit have identified that DragonForce, a Conti-derived ransomware-as-a-service (RaaS) operation active since 2023, has rebranded into a full-fledged ransomware cartel, enabling affiliates to white-label its encryptor and release variants such as Devman and Mamona/Global. The group employs BYOVD attacks using vulnerable kernel drivers (truesight.sys, rentdrv2.sys) to disable security tools prior to encryption and shares code lineage with LockBit Green via Conti v3 leaks. DragonForce’s affiliate program offers 80% profit shares and infrastructure access, and its alliance with Scattered Spider, a group specializing in SIM-swapping, MFA bypass, and vishing, provides initial access and data exfiltration via AnyDesk, ScreenConnect, and cloud platforms like MEGA or Amazon S3. Since late 2023, DragonForce affiliates have exposed over 200 enterprise victims across industries including retail, airlines, MSPs, and insurance, with the Marks & Spencer breach notably linked to the DragonForce–Scattered Spider partnership. Rebuilt using MinGW from Conti’s leaked source, the malware encrypts Windows, Linux, and ESXi systems with ChaCha20 and RSA-wrapped keys, referencing configuration files for process-kill lists (MsMpEng.exe, sql.exe) and whitelisted paths.
Operation_Silk_Lure_Scheduled_Tasks_Weaponized
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_Silk_Lure_Scheduled_Tasks_Weaponized
- Date of Scan:
- 2025-11-09
- Impact:
- LOW
- Summary:
- Researchers at Seqrite found a cyber-espionage campaign where attackers sent fake Chinese résumés to HR teams. When opened, the file secretly installs malware using Windows Task Scheduler and hidden DLL files. The malware, called ValleyRAT, steals data, monitors the computer, and connects to hidden servers in Hong Kong. It primarily targets people working in crypto trading and financial technology companies.
Cephalus_Ransomware_Fake_Key_Evasion
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Cephalus_Ransomware_Fake_Key_Evasion
- Date of Scan:
- 2025-11-08
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Emergency response Center (ASEC) have identified a new ransomware group named Cephalus, first observed in June 2025 and motivated solely by financial gain. The group primarily breaches organizations by stealing credentials through Remote Desktop Protocol (RDP) sessions that lack multi-factor authentication (MFA). Once inside, Cephalus exfiltrates sensitive data and encrypts systems to pressure victims into payment. The ransomware, written in Go, employs advanced evasion mechanisms such as generating fake AES keys to mislead analysts and utilizing the AES-CTR encryption mode to minimize key exposure in both disk and memory. Cephalus disables Windows Defender’s protections, deletes Volume Shadow Copies, and terminates backup services like Veeam and MSSQL to ensure irrecoverability of encrypted data. Its SecureMemory routines, including memory-locking and XOR-based key masking, further protect its encryption keys from forensic recovery.
Windows_SSH_backdoor
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Windows_SSH_backdoor
- Date of Scan:
- 2025-11-08
- Impact:
- MEDIUM
- Summary:
- PRODAFT researchers have identified that the FIN7 threat group, also known as Savage Ladybug, is actively deploying a Windows-based SSH backdoor to maintain persistent access and exfiltrate data from enterprise systems. This campaign leverages legitimate OpenSSH components along with a batch script to automate deployment and establish covert communication channels between compromised hosts and attacker-controlled servers. By exploiting legitimate SSH protocols, FIN7 establish encrypted reverse SSH and SFTP connections that seamlessly blend with legitimate administrative traffic, making detection highly challenging. The backdoor facilitates persistent remote access, lateral movement, and data theft while leaving minimal forensic traces within security logs.
Beast_Ransomware_Hidden_in_GUI
LOW
+
—
- Intel Source:
- ASEC researchers
- Intel Name:
- Beast_Ransomware_Hidden_in_GUI
- Date of Scan:
- 2025-11-07
- Impact:
- LOW
- Summary:
- "Researchers at AhnLab Security Intelligence Center (ASEC) analyzed a newly emerging ransomware group called Beast, which evolved from the Monster ransomware family. The Beast group began operating as a Ransomware-as-a-Service (RaaS) in February 2025 and launched their Tor-based leak site (“Beast Leaks”) in July 2025. As of August 2025, they had publicly named 16 victims across North America, Europe, Asia, and Latin America, targeting multiple sectors such as manufacturing, construction, healthcare, education, and business services. Beast ransomware stands out for its technical sophistication, interactive GUI interface, and advanced anti-recovery mechanisms, making decryption nearly impossible without the attackers’ key."
Rhadamanthys_Malware
LOW
+
—
- Intel Source:
- ASEC researchers
- Intel Name:
- Rhadamanthys_Malware
- Date of Scan:
- 2025-11-07
- Impact:
- LOW
- Summary:
- "Researchers at AhnLab Security Intelligence Center (ASEC) identified a new distribution method for the Rhadamanthys infostealer, a well-known malware family that steals credentials, cryptocurrency wallets, browser data, and system information. In this campaign, threat actors disguise Rhadamanthys as a legitimate Ren’Py visual novel game, a Python-based open-source game engine used by indie developers and available on platforms like Steam. The attackers embed the malware into the game’s script files so that when users run what appears to be a harmless game executable, the malicious loader activates and installs Rhadamanthys in the background. This campaign leverages social engineering and gaming communities (especially free game forums and file-sharing sites like MediaFire) to infect unsuspecting users."
Kimsuky_JavaScript_Dropper_Analysis
HIGH
+
—
- Intel Source:
- Pulsedive
- Intel Name:
- Kimsuky_JavaScript_Dropper_Analysis
- Date of Scan:
- 2025-11-07
- Impact:
- HIGH
- Summary:
- Researchers at Pulsedive Threat Research have identified a new Kimsuky intrusion chain leveraging a JavaScript-based dropper to establish persistence and exfiltrate system information from Windows hosts. The investigation revealed that the dropper executes multiple stages, beginning with a lightweight JavaScript file responsible for retrieving and executing additional payloads from adversary infrastructure. The subsequent stage performs host reconnaissance by collecting system configuration details, running processes, and directory listings, which are then compressed and transmitted to the attacker’s command server. The malware further modifies Windows registry keys and creates scheduled tasks to maintain continuous execution, ensuring the dropper remains active even after reboot.
ActiveMQ_Vulnerability_Exploitation_to_Install_Sharpire
LOW
+
—
- Intel Source:
- AhnLab SEcurity intelligence Center
- Intel Name:
- ActiveMQ_Vulnerability_Exploitation_to_Install_Sharpire
- Date of Scan:
- 2025-11-06
- Impact:
- LOW
- Summary:
- "Researchers at ASEC discovered that the Kinsing (also known as H2Miner) threat actor is exploiting the Apache ActiveMQ vulnerability (CVE-2023-46604) to infect both Linux and Windows systems. The attackers use this flaw to remotely install several malware families, including XMRig (cryptominer), Sharpire (.NET backdoor), Cobalt Strike, and Meterpreter for system control and post-exploitation. This marks a shift in Kinsing’s activity—from simple cryptocurrency mining to full system compromise and remote control—making it a more serious and versatile threat."
SleepyDuck_VSX_Ethereum_Based_C2_Malware
HIGH
+
—
- Intel Source:
- Cyberwarzone
- Intel Name:
- SleepyDuck_VSX_Ethereum_Based_C2_Malware
- Date of Scan:
- 2025-11-06
- Impact:
- HIGH
- Summary:
- Researchers at Secure Annex have identified a malicious Visual Studio Extension (VSX) known as SleepyDuck that employs the Ethereum blockchain for command-and-control (C2) operations. Distributed through the Open VSX registry under the guise of a legitimate Solidity development tool, the extension was modified in early November 2025 to include remote access trojan capabilities. Once installed, SleepyDuck connects to Ethereum smart contracts to dynamically update its C2 configuration, making takedown and detection significantly more difficult. The malware periodically polls for new commands, exfiltrates host and user information, and maintains fallback mechanisms using multiple Ethereum Remote Procedure Call (RPC) endpoints to ensure persistence.
Tycoon_2FA_Bypasses_MFA_via_AiTM_Phishing_Kit
HIGH
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Tycoon_2FA_Bypasses_MFA_via_AiTM_Phishing_Kit
- Date of Scan:
- 2025-11-06
- Impact:
- HIGH
- Summary:
- Researchers at Cybereason have identified Tycoon 2FA, a sophisticated Phishing-as-a-Service (PhaaS) kit active since August 2023 that using a reverse-proxy Adversary-in-the-Middle (AiTM) technique to bypass MFA/2FA on Microsoft 365 and Google (Gmail) accounts by intercepting credentials and session cookies in real time for full account compromise. The kit delivers phishing links via PDFs, PowerPoint, SVG files, and malicious websites often hosted on cloud platforms (Amazon S3, Dropbox, Canva), and performs domain, CAPTCHA, debugger, and bot checks prior to redirection to evade automated analysis. Its multi-stage JavaScript chain employs base64, XOR, and AES-encrypted code with CryptoJS-driven dynamic decryption, heavy obfuscation, and memory-only execution, it gathers user-agent and geolocation data, encrypts the data with hardcoded AES keys, and transmits it via AJAX POSTs to attacker-controlled C2 endpoints. The AiTM proxy relays credentials to legitimate servers while dynamically rendering authentic error messages and MFA prompts, making the phishing flow nearly indistinguishable from real logins and the kit’s adaptive design tailors attacks to victims’ authentication policies.
Phishing_Campaign_Targets_NPM_Developers
HIGH
+
—
- Intel Source:
- Group-IB
- Intel Name:
- Phishing_Campaign_Targets_NPM_Developers
- Date of Scan:
- 2025-11-05
- Impact:
- HIGH
- Summary:
- Group-IB researchers uncovered a phishing- based supply chain attack targeting the NPM ecosystem. The campaign began when threat actors compromised a developer’s NPM account by luring them to a fraudulent NPM login portal disguised as a legitimate 2FA update notification. Once the attacker gained full access, they modified around 20 widely used NPM packages to inject a malicious JavaScript-based crypto-clipper. The malware covertly monitored browser and application activity to detect cryptocurrency transactions and replaced legitimate wallet addresses with those controlled by the attackers, impacting multiple cryptocurrencies including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash. The phishing emails impersonated official NPM Support communications, evading SPF, DKIM, and DMARC check while leveraging urgency to prompt user action. The compromised packages collectively received about 2.8 billion weekly downloads, underscore the significant potential impact.
MuddyWater_Phoenix_v4_Espionage_Campaign
HIGH
+
—
- Intel Source:
- Polyswarm
- Intel Name:
- MuddyWater_Phoenix_v4_Espionage_Campaign
- Date of Scan:
- 2025-11-05
- Impact:
- HIGH
- Summary:
- Researchers at PolySwarm have identified a new cyber-espionage campaign attributed to the Iran-linked APT MuddyWater, which is actively targeting government entities across the Middle East and North Africa. The operation employs phishing emails sent from compromised accounts accessed via NordVPN, delivering macro-enabled Word documents that execute a FakeUpdate injector to deploy the Phoenix backdoor version 4. Once executed, the malware establishes persistence through Winlogon registry modifications and enables remote access for data exfiltration and command execution. Analysis indicates that the attackers leverage Chromium-based credential stealers and remote monitoring tools such as PDQ and Action1, hosted on the same infrastructure, to maintain access and facilitate post-exploitation activities. Overlaps in macro code, C2 infrastructure, and tool usage link this operation to historical MuddyWater campaigns tied to Iran’s Ministry of Intelligence and Security (MOIS).
SSH_Tor_Backdoor_Target_Defence_Sector
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- SSH_Tor_Backdoor_Target_Defence_Sector
- Date of Scan:
- 2025-11-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble have identified a phishing campaign that deploys an SSH-over-Tor backdoor via military-themed lures and weaponized archives. The attack chain is initiated by a malicious .LNK shortcut that executes PowerShell, performs environment checks, stages additional payloads, and then presents benign-appearing decoy documents to minimize detection. Following installation, the implant establishes persistence through a scheduled task and installs OpenSSH alongside Tor components to conceal C2 infrastructure within Tor hidden services. Operators then expose multiple services—SSH, RDP, SMB and SFTP—over those hidden services, enabling full remote administration, credential harvesting, data staging and exfiltration, and lateral movement across the compromised environment.
Operation_Peek_a_Baku_Targets_Central_Asia
HIGH
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_Peek_a_Baku_Targets_Central_Asia
- Date of Scan:
- 2025-11-04
- Impact:
- HIGH
- Summary:
- Researchers at Seqrite Labs have identified a new espionage campaign, Operation Peek-a-Baku, orchestrated by Silent Lynx, a Central Asia–focused APT group also known as YoroTrooper and ShadowSilk. Active since at least 2024, the group continues to target diplomatic, government, and infrastructure entities across Tajikistan, Azerbaijan, Russia, and China, demonstrating continuity in tooling with only marginal tradecraft evolution—such as shifting encoded payloads from binaries to GitHub-hosted PowerShell scripts. The campaign relies on spear-phishing emails delivering RAR archives containing LNK files that execute malicious PowerShell reverse shells, deploying payloads like Silent Loader, SilentSweeper, and Laplas implants, which leverage TCP and TLS reverse shells for persistent command execution. The attackers also use Ligolo-ng tunneling to sustain covert network access. Targeting aligns with significant diplomatic summits and projects, including the Russia–Azerbaijan meeting in Dushanbe (October 2025) and the China–Central Asia Summit in Astana (June 2025), reflecting an intelligence-gathering motive focused on strategic communications and infrastructure.
COLDPRIVER_New_Malware_Toolset_Expansion
HIGH
+
—
- Intel Source:
- Polyswarm
- Intel Name:
- COLDPRIVER_New_Malware_Toolset_Expansion
- Date of Scan:
- 2025-11-03
- Impact:
- HIGH
- Summary:
- Researchers at PolySwarm have identified a significant evolution in the Russian state-sponsored group COLDPRIVER’s malware arsenal, featuring the introduction of three new families—NOROBOT, YESROBOT, and MAYBEROBOT. The shift followed the public exposure of the LOSTKEYS malware in May 2025 and reflects COLDPRIVER’s ongoing focus on evading detection while maintaining aggressive intelligence collection operations. The group’s infection chain now begins with a deceptive “ClickFix” lure masquerading as a CAPTCHA verification, executing malicious DLL payloads through rundll32. NOROBOT serves as the initial downloader with advanced cryptography and modular staging, while YESROBOT, a Python-based backdoor, and MAYBEROBOT, a PowerShell variant, demonstrate COLDPRIVER’s agile development approach and emphasis on flexible persistence.
Operation_SkyCloak
HIGH
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_SkyCloak
- Date of Scan:
- 2025-11-03
- Impact:
- HIGH
- Summary:
- Researchers at Seqrite Labs have uncovered a new espionage campaign, dubbed Operation SkyCloak, targeting military personnel in Russia and Belarus, including members of the Russian Airborne Forces (VDV) and Belarusian Special Forces. The operation using spearphishing attachments disguised as official military documents to deliver a multi-stage PowerShell-based stager that deploys a customized OpenSSH server over Tor hidden services, exposing SSH, SMB, and RDP interfaces through obfs4 bridges for covert remote access. The infection chain begins with malicious .LNK files posing as PDFs, which execute embedded PowerShell commands to extract archives and establish persistence through hidden scheduled tasks that repurpose legitimate Windows binaries as SSH and SFTP servers. Each stage is heavily obfuscated and incorporates anti-sandbox checks to evade automated detection. The campaign’s Tor bridge infrastructure is distributed across Germany, France, Poland, and Canada, demonstrating a high degree of operational sophistication. While attribution remains uncertain, Seqrite notes tactical overlaps with Eastern European espionage groups and similarities to pro-Ukraine APT clusters such as Angry Likho and Awaken Likho.
DPRK_Clusters_HttpTroy_and_BLINDINGCAN_Evolution
HIGH
+
—
- Intel Source:
- Gen Digital
- Intel Name:
- DPRK_Clusters_HttpTroy_and_BLINDINGCAN_Evolution
- Date of Scan:
- 2025-11-03
- Impact:
- HIGH
- Summary:
- Researchers at Gen Digital Threat Labs have identified two concurrent campaigns conducted by DPRK-linked threat clusters Kimsuky and Lazarus, highlighting significant evolution in their shared tradecraft. Kimsuky executed an espionage-focused operation using a multi-stage intrusion chain beginning with a phishing-delivered archive that deployed the lightweight loader MemLoad and the fully featured backdoor HttpTroy. This toolset enabled persistent remote access, in-memory payload execution, and command-and-control over encrypted HTTP channels, demonstrating refined operational discipline.
TruffleNet_Cloud_Credential_Abuse_Campaign
HIGH
+
—
- Intel Source:
- Fortinet
- Intel Name:
- TruffleNet_Cloud_Credential_Abuse_Campaign
- Date of Scan:
- 2025-11-03
- Impact:
- HIGH
- Summary:
- Researchers at FortiGuard Labs have identified a large-scale cloud abuse campaign dubbed TruffleNet, which exploits compromised Amazon Web Services (AWS) credentials to conduct reconnaissance and facilitate Business Email Compromise (BEC) operations. The threat actors used the open-source tool TruffleHog to automate credential validation and enumeration across AWS environments, focusing particularly on the Simple Email Service (SES) for sending spoofed messages from verified domains. Once access was confirmed, the attackers created fraudulent email identities using stolen DKIM keys from compromised web servers to impersonate trusted organizations and execute targeted financial fraud. The infrastructure supporting TruffleNet spanned hundreds of cloud hosts across multiple providers, orchestrated using Portainer for scalable coordination.
BRONZE_BUTLER_Exploits_LANSCOPE_Zero_Day
HIGH
+
—
- Intel Source:
- Sophos
- Intel Name:
- BRONZE_BUTLER_Exploits_LANSCOPE_Zero_Day
- Date of Scan:
- 2025-11-02
- Impact:
- HIGH
- Summary:
- Researchers at Sophos have identified that the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to exfiltrate sensitive data from Japanese organizations. The flaw enables remote command execution with SYSTEM privileges, facilitating privilege escalation and lateral movement once access is established. Although the number of exposed internet-facing systems is limited, the campaign underscores BRONZE BUTLER’s continued exploitation of Japanese enterprise software, consistent with its prior attacks on IT management tools such as SKYSEA Client View in 2016. In the latest 2025 intrusion wave, CTU identified the use of Gokcpdoor and Havoc C2 frameworks for remote control and persistence, with Gokcpdoor’s updated variant employing multiplexed C2 communications via third-party libraries and dropping KCP protocol support. The OAED Loader malware further enabled stealthy execution through process injection into legitimate executables. The group also leveraged legitimate tools including goddi, Remote Desktop, and 7-Zip for lateral movement and data exfiltration, while cloud services were accessed via browser-based remote sessions to transfer stolen information.
Attackers_Exploit_OAuth_to_Access_Microsoft_365
HIGH
+
—
- Intel Source:
- Unit 42
- Intel Name:
- Attackers_Exploit_OAuth_to_Access_Microsoft_365
- Date of Scan:
- 2025-11-02
- Impact:
- HIGH
- Summary:
- Researchers at Palo Alto Networks have observed an active phishing campaign exploiting OAuth authorization flows to compromise Microsoft accounts through brand impersonation. The attackers mimic legitimate business and investment platforms such as SAP Concur and Vanguard Funds to deceive users into granting unauthorized access tokens, thereby enabling persistent access to Microsoft tenants without direct credential theft. Victims are lured to attacker-controlled sites that prompt them to paste device codes or approve malicious OAuth applications. In one variant, the SAP Concur impersonation uses a fake login domain to redirect users to the legitimate Microsoft OAuth endpoint, where entering a provided code silently links the victim’s account to an attacker-controlled device. In another, the Vanguard-themed campaign disguises a malicious OAuth authorization link within a PDF, redirecting access tokens to attacker-managed Azure storage endpoints. Both phishing sets share malicious domains hosted on Microsoft’s infrastructure, indicating coordinated use of attacker-owned Azure resources.
Midnight_Ransomware_Flawed_Babuk_Offshoot
MEDIUM
+
—
- Intel Source:
- Gen Digital
- Intel Name:
- Midnight_Ransomware_Flawed_Babuk_Offshoot
- Date of Scan:
- 2025-11-02
- Impact:
- MEDIUM
- Summary:
- Researchers at Gen Digital have identified a new ransomware strain known as Midnight, which appears to be derived from the Babuk ransomware family but exhibits significant cryptographic flaws. Midnight retains Babuk’s overall structure and Ransomware-as-a-Service model, employing a combination of ChaCha20 and RSA encryption to lock victim data. However, implementation weaknesses in the cryptographic routines have made decryption possible under specific conditions, reducing the threat’s impact. The malware primarily targets large organizations in finance, healthcare, and government sectors, using configurable command-line arguments to control its encryption behavior and focusing on critical files such as backups and databases.
Manlingflower_Launches_New_Phishing_Campaign
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Manlingflower_Launches_New_Phishing_Campaign
- Date of Scan:
- 2025-10-31
- Impact:
- MEDIUM
- Summary:
- Researchers at the 360 Threat Intelligence Center have identified that APT-C-08, also known as Manlingflower, a South Asia–linked advanced persistent threat group, has launched a new phishing campaign leveraging ClickOnce application deployment files to remotely install malicious payloads. The operation entices victims to open deceptive Microsoft application files that initiate a multi-stage infection chain, beginning with the Microsoft.application payload, which retrieves a remote manifest and installs secondary binaries such as Launcher.exe, Microsoft.exe, and winsec.exe. Further analysis reveals that Microsoft.exe is a .NET self-contained binary compiled with dotnet publish to execute command-line tasks for persistence creation, while winsec.exe is a C# backdoor communicating with a command-and-control server at port 40269 using AES-encrypted traffic. The final payload maintains persistence via Windows scheduled tasks, beaconing system and user information to attacker infrastructure and enabling additional component downloads. Consistent with previous Manlingflower operations against government, defense, and academic entities in South Asia, the campaign’s objective appears to focus on intelligence collection, credential theft, lateral movement, and sustaining long-term espionage access within targeted networks.
PolarEdge_Expands_via_IoT_Proxy_Network
HIGH
+
—
- Intel Source:
- XLab
- Intel Name:
- PolarEdge_Expands_via_IoT_Proxy_Network
- Date of Scan:
- 2025-10-31
- Impact:
- HIGH
- Summary:
- Researchers at XLab have uncovered RPX_Client, a new component of the PolarEdge malware ecosystem that integrates compromised IoT devices into a large-scale proxy relay system for covert operations. PolarEdge, first exposed by Sekoia in early 2025, operates an Operational Relay Box (ORB) model, an infrastructure-as-a-service framework leveraging infected IoT endpoints and VPS nodes to obfuscate malicious network traffic. The investigation identified over 140 active RPX servers and more than 25,000 infected devices across 40 countries, with concentrations in South Korea, China, and Southeast Asia. The RPX_Client module enables proxy relaying, remote command execution, and dynamic task redistribution between compromised devices and centralized control servers, allowing reverse, connection proxying that effectively conceals attacker origins through multi-hop IoT routing. The malware achieves persistence via system startup scripts and uses encrypted configuration files to maintain stealth and long-term control.
Airstalk_Malware_Nation_State_Supply_Chain_Intrusion
HIGH
+
—
- Intel Source:
- Unit42
- Intel Name:
- Airstalk_Malware_Nation_State_Supply_Chain_Intrusion
- Date of Scan:
- 2025-10-30
- Impact:
- HIGH
- Summary:
- Researchers at Palo Alto Networks Unit 42 have identified a new malware family named Airstalk being deployed in a suspected nation-state supply chain intrusion. The campaign leverages legitimate VMware AirWatch MDM APIs for covert command-and-control (C2) communications, allowing malicious traffic to blend seamlessly with authorized enterprise management activity. Two variants were discovered: a PowerShell-based loader and a .NET backdoor, both designed to exfiltrate data and maintain operational stealth. The PowerShell variant abuses the /api/mdm/devices/ endpoint to send serialized JSON commands for data theft, screenshots, and Chrome browser credential extraction, while the .NET variant incorporates multi-threaded execution for beaconing, debugging, and log exfiltration. Both samples were digitally signed with legitimate certificates to evade detection. The actor tracked as CL-STA-1009 has targeted organizations within the business process outsourcing (BPO) sector, exploiting trusted relationships to access sensitive client and infrastructure data.
Russian_APT_Targets_Ukrainian_Organizations
HIGH
+
—
- Intel Source:
- Symantec and Carbon Black
- Intel Name:
- Russian_APT_Targets_Ukrainian_Organizations
- Date of Scan:
- 2025-10-30
- Impact:
- HIGH
- Summary:
- Researchers at Symantec and Carbon Black have identified an ongoing campaign of Russian-attributed cyberattacks targeting Ukrainian organizations, particularly in the business services and local government sectors. Between June and August 2025, its observed two distinct intrusions characterized by the use of custom webshells, credential harvesting, and advanced Living-off-the-Land (LotL) techniques. The attackers exploited unpatched public-facing servers to deploy the Localolive webshell, previously linked by Microsoft to the Sandworm subgroup Seashell Blizzard, as an initial access vector. Demonstrating strong operational discipline, the actors minimized malware deployment and relied on native Windows utilities such as rundll32, rdrleakdiag, and PowerShell for persistence, reconnaissance, and evasion, even modifying Defender preferences to avoid detection.
BlueNoroff_GhostCall_and_GhostHire_Ops
HIGH
+
—
- Intel Source:
- Securelist (Kaspersky)
- Intel Name:
- BlueNoroff_GhostCall_and_GhostHire_Ops
- Date of Scan:
- 2025-10-29
- Impact:
- HIGH
- Summary:
- Researchers at Kaspersky have identified two interrelated BlueNoroff operations, codenamed GhostCall and GhostHire, that represent a significant evolution in the group’s financially motivated cyber campaigns. BlueNoroff, a subgroup of the North Korean Lazarus organization, has expanded beyond its traditional bank-heist focus to target cryptocurrency, fintech, and venture-capital sectors through sophisticated macOS and Web3 social engineering. The GhostCall campaign uses fake video meeting invitations and fabricated Zoom or Microsoft Teams update prompts to deliver multi-stage payloads written in Swift, Rust, Go, and Nim, enabling cross-platform persistence and credential theft. Meanwhile, GhostHire impersonates legitimate recruiters on Telegram and GitHub to distribute trojanized development repositories and malicious TypeScript or Go projects to engineers and developers.
