Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Splunk

Intel Name:: A_Deep_Dive_into_XWorm_Malware

Date of Scan:: 2025-07-10

Impact:: MEDIUM

Summary:: Researchers at Splunk have identified XWorm that employs a rotating arsenal of droppers, stagers, and payloads to evade detection and maintain persistent access on Windows endpoints . It leverages phishing lures impersonating invoices, shipping notices, or business requests to trick users into executing malicious attachments. XWorm is delivered in multiple formats such as .exe, .js, .vbs, .bat, .hta, .lnk and it uses advanced-evasion techniques such as AMSI bypass, ETW disablement, and registry-based Defender exclusions. It employs persistence by creating registry keys, scheduled tasks, startup folder, DLL side-loading, and USB or removable-media. Once active, it performs discovery of AV products, video-capture drivers, and graphics card information before establishing HTTP-based C2 communications. The mail objective of this malware is unauthorized data access, potential lateral movement, and long-term undetected system compromise.

Source: https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html

Intel Source:: Cyble

Intel Name:: LogoKit_Phishing_Campaign

Date of Scan:: 2025-07-10

Impact:: LOW

Summary:: Researchers at Cyble have uncovered an ongoing phishing campaign that leverages LogoKit which is designed to steal login credentials by impersonating legitimate organizations. The threat actors are masquerading entities such as HunCERT, Kina Bank, the Catholic Church, and logistics companies to deceive users into entering their credentials. These fraudulent pages are hosted on Amazon S3 and Render and appear legitimate by incorporating Cloudflare Turnstile (a CAPTCHA service) and automatically retrieve real logos from Clearbit and Google Favicon. Once a victim enters their credentials, the data is exfiltrated to a C2 server through an HTTP POST request. The stolen credentials can enable attackers to gain unauthorized access, carry out business email compromise (BEC), move laterally within networks, and potentially cause major data breaches.

Source: https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/

Intel Source:: Securelist

Intel Name:: Batavia_Malware_Targeting_Russia

Date of Scan:: 2025-07-09

Impact:: LOW

Summary:: Securelist researchers have discovered a new malware strain called Batavia that emerged in July 2024. This malware targets Russian industrial enterprises and is delivered through spear-phishing emails disguised as business contracts. When a victim clicks the malicious link, it downloads a VBScript- downloader that decrypts and installs additional payloads which involves two separate executable files —WebView.exe and javav.exe, are used to collect sensitive files such as Microsoft Office documents, system logs, and files from USB drives or other removable media. Additionally, Batavia takes screenshots of the victim's screen and computes file hashes to avoid uploading duplicate files. The malware communicates with its C2 server over HTTPS and obfuscates its payloads using XOR and Base64 encoding. To maintain persistence, it creates a shortcut in the Start Menu's startup folder, ensuring execution on each user login.

Source: https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/

Intel Source:: Fortinet

Intel Name:: NordDragonScan_Target_Window_Systems

Date of Scan:: 2025-07-09

Impact:: MEDIUM

Summary:: Researchers at FortiGuard have discovered a new information-stealing malware called NordDragonScan, targeting Windows systems primarily in Ukraine’s government and energy sectors. The malware is distributed through shortened URLs and malicious shortcut files which executes a malicious HTA script that installs a .NET-based payload. It leverages a legitimate PowerShell binary to downloads a hidden payload and installs a file named adblocker.exe inside a folder named NordDragonScan. Once installed, it collects system information, capture screenshots, steals files and PDFs from common directories and extracts saved browser data from Chrome and Firefox. Additionally, it also scans the local network to identify other reachable systems and exfiltrates all collected data to a remote server over HTTPS. Victims are lured with fake Ukrainian-language documents related to government and energy sector communications.

Source: https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows

Intel Source:: GData

Intel Name:: XMRig_Global_Cryptomining_Campaign

Date of Scan:: 2025-07-09

Impact:: LOW

Summary:: Researchers at GDATA Security Lab have identified a global cryptomining campaign leveraging XMRig to mine Monero cryptocurrency that emerged in April 2025. The campaign begins with the execution of batch script files via svchost.exe, followed by PowerShell commands that download and execute additional payloads. The attackers create scheduled tasks to disable Windows Defender and automatic update services before deploying the XMRig miner under random names to evade detection. They use LOLBAS techniques and hidden PowerShell windows to ensure persistence, leading to down system performance, increased energy consumption, and disruption of system maintenance. The malware has been observed in multiple countries, indicating targets systems worldwide.

Source: https://www.gdatasoftware.com/blog/2025/07/38228-monero-malware-xmrig-resurgence

Intel Source:: RedDrip7

Intel Name:: NightEagle_Exploits_Exchange_for_Espionage

Date of Scan:: 2025-07-08

Impact:: MEDIUM

Summary:: Researchers at RedDrip7 have disclosed that the APT group NightEagle exploited a previously unknown Microsoft Exchange deserialization vulnerability to achieve remote code execution on targeted Exchange servers. The group’s operations appear to be strategically motivated, with a focus on exfiltrating sensitive email data from high-tech Chinese organizations. To establish internal network access, NightEagle deployed a modified Chisel reverse tunnel disguised as a legitimate Synology update service. This was followed by memory-only injection of a custom .NET loader delivered through virtual URL web shells. The implant enabled sustained, covert remote email harvesting and command execution while avoiding disk-based detection mechanisms.

Source: https://github.com/RedDrip7/NightEagle_Disclose/blob/main/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf

Intel Source:: unit42

Intel Name:: Tomcat_Partial_PUT_Camel_Header_Hijack

Date of Scan:: 2025-07-08

Impact:: MEDIUM

Summary:: During March 2025, Unit 42 observed a surge in attacks leveraging two critical Apache vulnerabilities. CVE-2025-24813 permits remote deserialization via Tomcat’s standard partial PUT mechanism, and CVE-2025-27636/29891 abuse Camel’s header processing to execute arbitrary commands. Exploitation attempts exceeded 7,800 across more than 70 countries, confirming a global automated campaign. Attackers identify targets via session name enumeration and Content-Range manipulation before delivering payloads that result in remote code execution.

Source: https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/

Intel Source:: Cyfirma

Intel Name:: APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: Researchers from Cyfirma have uncovered a spear-phishing campaign conducted by APT36 also known as Transparent Tribe targeting Indian defense personnel leveraging BOSS Linux systems. The attackers send ZIP archives containing a malicious desktop shortcut file. When clicked, it downloads and displays a legitimate PowerPoint decoy while simultaneously retrieving and launching a GO-based ELF binary in the background. The ELF payload establishes a persistent C2 channel over a non-standard port, enabling data exfiltration and covert screenshot capture. It also gathers system information, enumerates storage drives, and uses obfuscated logging routines to evade detection.

Source: https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/

Intel Source:: KB4ThreatLabs

Intel Name:: Atera_RMM_Phishing_Campaign

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: Researchers from KnowBe4 ThreatLabs have identified a targeted phishing campaign exploiting Social Security statement updates to distribute a malicious MSI installer masquerading as the Atera Agent RMM. On July 3, 2025, threat actors leveraged compromised email accounts to send a lure offering a “30-day free trial,” thereby deploying the legitimate Atera RMM on Windows hosts. By abusing the platform’s living-off-the-land capabilities, adversaries establish persistent C2 channels that enable file transfers, interactive shell access and AI-assisted command execution via the RMM web console.

Source: https://x.com/Kb4Threatlabs/status/1940759187514183827

Intel Source:: CCITIC

Intel Name:: Datacarry_Ransomware_Campaign

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: The Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC) have identified a targeted campaign by the Datacarry ransomware group, active since June 2024 and significantly intensifying in spring 2025. The group exploiting a critical vulnerability in Fortinet EMS (CVE-2023-48788) to gain initial access. Following exploitation, they use PowerShell to configure the environment for deploying a Go-based implant, which enables persistent command-and-control communication via the Chisel tunneling tool over WebSockets. The actors exfiltrate large volumes of data before deploying a Conti-variant ransomware payload.

Source: https://www.ccitic.org/assets/reports/CCITIC_Report_TLP-White_DATACARRY.pdf

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page