Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Huntress

Intel Name:: Exploitation_of_Triofox_Servers

Date of Scan:: 2025-04-16

Impact:: LOW

Summary:: Researchers from Huntress have found active exploitation of a critical vulnerability CVE-2025-30406 influencing Gladinet CentreStack and Triofox servers, which has been included to CISA's Known Abused Vulnerabilities catalog. The flaw, evaluated 9.0 in severity, stems from hardcoded cryptographic keys in default setup files (web.config) that can be abused for remote code execution through ASP.NET ViewState deserialization.

Source: https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild

Intel Source:: Dark Atlas

Intel Name:: Global_Rise_of_Akira_Ransomware

Date of Scan:: 2025-04-16

Impact:: MEDIUM

Summary:: Researchers from Dark Atlas have discovered that the Akira ransomware group, which has been operating since at least March 2023, has rapidly expanded into a substantial cyber threat, hitting over 250 firms and obtaining approximately $42 million in ransom payments. Akira uses a double-extortion methodology that combines data encryption and exfiltration, threatening to disclose stolen information if victims fail to pay. Initial access is usually obtained by compromising VPN credentials and vulnerabilities in Cisco products, followed by lateral movement with programs such as AnyDesk, RClone, and WinSCP.

Source: https://darkatlas.io/blog/akira-ransomware-road-to-glory

Intel Source:: Kandji

Intel Name:: Advanced_macOS_Spyware_PasivRobber

Date of Scan:: 2025-04-16

Impact:: LOW

Summary:: Kandji researchers, following the discovery of a suspicious file named 'wsus' on VirusTotal on March 13, 2025, uncovered PasivRobber, a sophisticated, multi-component macOS spyware suite. This threat appears specifically designed to target Chinese users, indicated by its focus on data exfiltration from applications popular in China, such as WeChat and QQ, alongside web browsers and email clients. The research suggests a potential link between PasivRobber and Xiamen Meiya Pico Information Co., Ltd., a Chinese company previously identified for developing surveillance and forensic tools. PasivRobber demonstrates advanced capabilities and a deep understanding of macOS internals, employing deceptive naming conventions (e.g., 'goed' mimicking 'geod', '.gz' extension for dylibs), persistence via LaunchDaemons, process injection using tools like 'apse' (similar to insert_dylib), and runtime key extraction from messaging apps using Frida. The suite communicates via RPC and FTP for updates and potential command execution, including remote uninstallation. The inherent stealth, comprehensive data harvesting scope, and sophisticated TTPs signify a high risk of extensive espionage and sensitive data compromise for targeted individuals and potentially organizations employing affected macOS systems.

Source: https://www.kandji.io/blog/pasivrobber

Intel Source:: NVISO

Intel Name:: BRICKSTORM_Backdoor_Hits_Windows

Date of Scan:: 2025-04-16

Impact:: MEDIUM

Summary:: NVISO's researchers have analyzed the BRICKSTORM, a persistent espionage backdoor attributed to the China-nexus cluster UNC5221, now identified targeting Windows environments in addition to its previous Linux presence. Employed in long-running campaigns since at least 2022, BRICKSTORM facilitates intelligence gathering against European industries relevant to Chinese strategic interests, likely focusing on intellectual property and trade secret theft. The backdoor utilizes sophisticated command and control techniques, including DNS-over-HTTPS (DoH) for initial C2 resolution and a multi-layered TLS tunneling approach (up to three layers) over WebSockets, leveraging legitimate cloud providers like Cloudflare and Heroku as first-tier proxies to evade detection.

Source: https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf

Intel Source:: Trend Micro

Intel Name:: BPFDoor_Targets_Telecom_and_Finance

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Trend Micro researchers have found a previously unknown controller tied to the BPFDoor malware employed by the APT group Red Menshen (also known as Earth Bluecrow), which allows attackers to open a reverse shell for further infiltration into affected networks. BPFDoor, a stealthy state-sponsored backdoor that uses Berkeley Packet Filtering (BPF), has been detected targeting the telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Source: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

Intel Source:: Morphisec

Intel Name:: ResolverRAT_Malware

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Researchers at Morphisec have identified a new remote access trojan called ResolverRAT which is being used to target healthcare and pharmaceutical sectors. The attackers send phishing emails in local languages such as Hindi, Italian, Turkish, and others by using fear-inducing themes like legal trouble or copyright violations to trick users into downloading a malicious file. The malware uses DLL side loading technique to install the malware that runs the malware in memory. It employs on multiple persistence method by using the Windows Registry and the file system. ResolverRAT also uses certificate-based authentication, IP rotation, and certificate pinning to remain connected to its C2 servers.

Source: https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/

Intel Source:: ISC.SANS

Intel Name:: PyArmor_Obfuscated_Malicious_Python_Scripts

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Researchers at ISC.SANS have observed malicious actors utilizing the legitimate PyArmor tool to obfuscate Python-based stealer malware, hindering detection and analysis. This multi-stage attack, reported in April 2025, begins with JavaScript executing PowerShell to download a zipped Python environment containing the obfuscated payload. This indicates that the malware is designed to steal credentials and cryptocurrency wallet data, using obfuscation techniques to evade static security measures. Additionally, it likely employs WMI queries for reconnaissance or to bypass sandboxes.

Source: https://isc.sans.edu/diary/Obfuscated+Malicious+Python+Scripts+with+PyArmor/31840/

Intel Source:: Cisco Talos

Intel Name:: Toll_Road_Smishing_Scam_in_the_US

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Since October 2024, Cisco Talos researchers have identified a massive and ongoing SMS phishing (smishing) campaign aimed at toll road users in numerous US states. Financially motivated threat actors impersonate toll payment systems such as E-ZPass in order to steal personal and financial information from their victims. Victims receive SMS messages claiming a tiny unpaid toll cost, which prompts them to visit a fake domains specific to their state. These websites deceive users with bogus CAPTCHAs and false bills, eventually forcing them to enter sensitive information such as credit card numbers.

Source: https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/

Intel Source:: BI.ZONE

Intel Name:: Sapphire_Werewolf_Targeting_Energy_Sector

Date of Scan:: 2025-04-14

Impact:: HIGH

Summary:: BI.ZONE researchers have uncovered that the Sapphire Werewolf threat cluster is actively targeting energy sector organizations using an enhanced version of the open-source Amethyst information stealer. Delivering through phishing emails disguised as HR-related memos containing malicious RAR archives, the stealer is executed via a .NET loader that runs a Base64-encoded payload directly in memory. To avoid sandbox detection, this updated variant features advanced anti-virtualization techniques—checking registry keys, WMI, hardware components, and services. It also uses Triple DES encryption to obfuscate configuration data. The attack primarily aims to steal credentials and exfiltrate sensitive data from various applications, including web browsers (Chrome, Opera, Yandex), Telegram, FileZilla, SSH clients, remote desktop tools, VPNs, and even documents stored on removable media.

Source: https://bi.zone/eng/expertise/blog/kamen-ogranennyy-sapphire-werewolf-ispolzuet-novuyu-versiyu-amethyst-stealer-dlya-atak-na-tek/

Intel Source:: Securelist

Intel Name:: GOFFEE_Targets_Russian_Entities

Date of Scan:: 2025-04-14

Impact:: LOW

Summary:: Securelist researchers have discovered that the threat actor GOFFEE continues to target Russian enterprises, namely in the media, telecommunications, construction, government, and energy sectors. Since 2022, GOFFEE has relied on spear phishing emails, originally employing modified Owowa modules and, by 2024, patched malicious instances of explorer.exe. In the second part of 2024, the group released a new PowerShell-based implant known as "PowerModul" and began replacing the PowerTaskel agent with a binary Mythic agent for lateral movement. GOFFEE further expanded its infection chains to include Word documents with malicious VBA macros and RAR packages with double-extension executables.

Source: https://securelist.com/goffee-apt-new-attacks/116139/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page