Securonix Threat Labs
Get up-to-date threat content from the experts at Securonix Threat Labs.
Uncover the threats of tomorrow, today.
Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.
Powered by Threat Labs
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and search queries are available on our GitHub repository.
EtherRAT_Abuses_Ethereum_for_Fileless_C2
HIGH
+
—
- Intel Source:
- Sysdig
- Intel Name:
- EtherRAT_Abuses_Ethereum_for_Fileless_C2
- Date of Scan:
- 2026-01-01
- Impact:
- HIGH
- Summary:
- Researchers at the Sysdig have identified EtherRAT, a newly observed remote access trojan that abuses the Ethereum blockchain for command and control and is delivered through exploitation of the React2Shell vulnerability in Next.js applications, with the malware operating in a fileless manner via Node.js to execute fully in memory and evade disk-based detection, while using smart contract state changes to dynamically resolve active infrastructure for resilient C2 operations; analysis uncovered five post-compromise modules including system reconnaissance that self-terminates on CIS-region locales, credential and cryptocurrency theft targeting wallet seed phrases, API keys, and cloud credentials, a self-propagating worm that scans and exploits additional vulnerable endpoints across internal and external networks, a web server hijacking component used for traffic redirection and monetization, and an SSH-based persistence mechanism using a hard-coded public key, and although initial assessment suggested a possible DPRK nexus, characteristics such as CIS locale exclusion and monetization-focused behavior align more closely with Russian-speaking threat actor tradecraft, indicating either shared tooling or deliberate false flagging.
BlindEagle_Colombian_Gov_Spearphish_Uses_DCRAT
HIGH
+
—
- Intel Source:
- Zscaler Threatlabz
- Intel Name:
- BlindEagle_Colombian_Gov_Spearphish_Uses_DCRAT
- Date of Scan:
- 2025-12-31
- Impact:
- HIGH
- Summary:
- Researchers at Zscaler ThreatLabz have identified a spear-phishing campaign attributed to the South American threat actor BlindEagle, targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT). The campaign leveraged a compromised internal email account to distribute phishing messages containing an SVG attachment that redirected victims to a fraudulent judicial web portal. From there, victims were deceived into downloading a JavaScript file that initiated a file-less infection chain. This chain executed multiple obfuscated JavaScript stages and PowerShell commands to deploy the Caminho downloader, which ultimately delivered the DCRAT remote access trojan. The attack demonstrated multi-layered obfuscation, in-memory execution, and the use of legitimate services such as Discord for payload hosting. Caminho’s code contained Portuguese elements, suggesting origins within the Brazilian cybercriminal ecosystem.
EmEditor_Compromise_Info_Stealing_Supply_Chain_Attack
HIGH
+
—
- Intel Source:
- Qianxin Threat Intelligence Center
- Intel Name:
- EmEditor_Compromise_Info_Stealing_Supply_Chain_Attack
- Date of Scan:
- 2025-12-31
- Impact:
- HIGH
- Summary:
- Researchers at Qianxin Threat Intelligence Center have identified a significant software supply chain compromise impacting the official EmEditor installation packages between December 19 and 22, 2025. The attackers replaced legitimate MSI installers with malicious ones signed by a fake certificate, embedding a PowerShell-based information-stealing payload. Once executed, the malware harvested extensive system and credential data, including operating system details, browser information, VPN configurations, and user credentials across communication and productivity tools. It employed RSA encryption for stolen data and achieved persistence through a malicious Microsoft Edge extension masquerading as a legitimate cloud storage plugin.
Silver_Fox_India_Tax_Phishing_Valley_RAT
HIGH
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Silver_Fox_India_Tax_Phishing_Valley_RAT
- Date of Scan:
- 2025-12-30
- Impact:
- HIGH
- Summary:
- CloudSEK reports a targeted phishing campaign attributed to the Chinese Silver Fox APT abusing India Income Tax–themed lures to gain initial access . Rather than deploying an overtly malicious executable, the operation relies on a convincing PDF decoy that redirects victims to download an installer masquerading as legitimate tax-related content. Once launched, the installer abuses a signed third-party binary to sideload a malicious DLL, allowing execution to blend into normal Windows activity. The loader performs anti-debugging and sandbox checks before decrypting and executing payloads entirely in memory. The infection chain culminates in the deployment of Valley RAT, a modular backdoor designed for long-term, low-noise persistence. Valley RAT uses delayed beaconing, protocol switching, and three-tier command-and-control failover to evade detection and blocking. Registry-based storage enables operators to update C2 infrastructure and deploy new plugins without redeploying malware. The campaign’s victimology, infrastructure, and tooling contradict earlier attribution to India-aligned actors and instead align with known Silver Fox tradecraft. The impact is sustained access with capabilities for credential theft, surveillance, and lateral movement.
DNS_Poisoning_Delivers_MgBot
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- DNS_Poisoning_Delivers_MgBot
- Date of Scan:
- 2025-12-29
- Impact:
- MEDIUM
- Summary:
- Researchers at Securelist have uncovered a highly targeted campaign by the Evasive Panda threat group, also known as Bronze Highland, Daggerfly, or StormBamboo, that quietly delivers malware by manipulating DNS responses. The campaign relies on victim-specific delivery, with each infection carefully tailored to reduce detection and complicate analysis. The attack impersonates legitimate software updates for widely used applications, allowing it to blend seamlessly into normal user activity. Malware is delivered in multiple stages and proceeds only when specific conditions are met, helping it evade automated defenses. Its components are encrypted, bound to the infected system, and often executed directly in memory or injected into trusted processes to remain hidden. The final payload identified is MgBot, highlighting the group’s focus on long-term remote access and persistent control rather than immediate disruption.
Russian_Espionage_Campaign_Abuses_Viber_Messages
HIGH
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Russian_Espionage_Campaign_Abuses_Viber_Messages
- Date of Scan:
- 2025-12-29
- Impact:
- HIGH
- Summary:
- Researchers at the 360 Threat Intelligence Center have observed that UAC-0184, also known as Hive0156, is a Russian state-aligned cyber-espionage group targeting Ukrainian military and government entities through a campaign dubbed "The Dark Side of the Fallen Files," which leverages the Viber messaging platform to deliver malicious ZIP archives containing shortcut files and PowerShell scripts disguised as official Ukrainian parliament correspondence and themed around sensitive military and administrative topics to socially engineer recipients. Once executed, the infection chain retrieves secondary payloads, including HijackLoader, which ultimately deploys the Remcos remote access trojan through a multi-stage process involving DLL side-loading, module stomping, unconventional control flow, and dynamic shellcode decryption to evade detection. HijackLoader performs security product reconnaissance, disables built-in protections, establishes persistence via scheduled tasks, and obscures execution.
npm_Spearphishing_Document_Lures_AiTM
HIGH
+
—
- Intel Source:
- Socket
- Intel Name:
- npm_Spearphishing_Document_Lures_AiTM
- Date of Scan:
- 2025-12-28
- Impact:
- HIGH
- Summary:
- Researchers from the Socket Threat Research Team uncovered a sustained spearphishing campaign that abuses the npm registry as durable hosting for browser-based phishing lures . Instead of compromising developers through malicious dependencies, the actor repurposes npm packages as web-delivered phishing components that execute directly in the victim’s browser. The operation ran for at least five months and involved 27 malicious packages published under multiple aliases. These packages impersonate secure document-sharing portals and Microsoft sign-in pages, with the victim’s email address prefilled to increase credibility. The campaign is highly targeted, focusing on sales and commercial staff at manufacturing, industrial automation, plastics, and healthcare organizations. Once the lure is opened, client-side JavaScript replaces page content and guides the victim through a staged verification flow. Lightweight anti-analysis controls, including bot detection, honeypot form fields, and interaction gating, are used to evade scanners. Credential submission redirects victims to threat actor-controlled infrastructure associated with adversary-in-the-middle techniques. In some cases, the infrastructure overlaps with Evilginx-style patterns capable of stealing session cookies and bypassing MFA. The impact is credential compromise with potential downstream account takeover rather than endpoint malware infection
A_Deployment_of_CoinMiner_Payloads
MEDIUM
+
—
- Intel Source:
- Asec
- Intel Name:
- A_Deployment_of_CoinMiner_Payloads
- Date of Scan:
- 2025-12-28
- Impact:
- MEDIUM
- Summary:
- Researchers at ASEC have uncovered multiple campaigns that exploit a GeoServer remote code execution vulnerability (CVE-2024-36401) to install cryptocurrency miners on exposed servers. The attackers scan the internet for vulnerable GeoServer deployments rather than targeting specific organizations. Once access is gained, the attackers deploy XMRig-based CoinMiner payloads to hijack system resources for cryptomining. In some cases, they use multi-stage PowerShell and Bash scripts, including droppers delivered via certutil and downloaders that can run payloads directly in memory. The attackers also try to weaken host defenses by adding Windows Defender exclusions and disabling security settings to keep their access longer.
Webrat_GitHub_Exploit_Lure_Backdoor
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- Webrat_GitHub_Exploit_Lure_Backdoor
- Date of Scan:
- 2025-12-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have uncovered a Webrat campaign that shifts distribution from game cheats and cracked software to fake exploits hosted on GitHub repositories . Instead of targeting casual users, the attackers now focus on students and inexperienced security professionals by disguising malware as proof-of-concept exploits for high-profile vulnerabilities. The repositories are carefully crafted with AI-generated vulnerability descriptions and realistic mitigation guidance to appear legitimate. Victims are lured into downloading password-protected archives that contain a decoy file alongside a malicious loader. Once executed, the loader escalates privileges, disables Windows Defender, and retrieves the Webrat backdoor from a remote server. The end goal is persistent system access and data theft, including credentials, messaging accounts, and surveillance via keylogging and media capture
Tax_Themed_Phish_NSIS_RAT_Fake_ITD
HIGH
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Tax_Themed_Phish_NSIS_RAT_Fake_ITD
- Date of Scan:
- 2025-12-27
- Impact:
- HIGH
- Summary:
- Researchers from Seqrite have uncovered a tax-themed phishing campaign targeting Indian businesses that impersonates the Indian Income Tax Department to deliver a remote access malware payload. The attack begins with spearphishing emails using urgent compliance lures that direct victims to a fraudulent tax portal hosting a malicious ZIP archive. When executed, the archive launches a multi-stage NSIS installer chain that drops and executes a hidden RAT component while attempting to weaken local security controls. The malware establishes persistence by registering a Windows service disguised as a legitimate system protection service. It then performs system reconnaissance, collects host and software information, and registers the infected device with attacker-controlled infrastructure. The implant communicates with its command-and-control servers over multiple ports, enabling remote command execution and follow-on activity. The campaign emphasizes persistence and operational control, posing significant risk to affected organizations through sustained endpoint compromise
Threat Content
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
Why Security Content Matters
Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.
