Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: ASEC

Intel Name:: Downloader_Malware_Created_with_JPHP_Interpreter

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: ASEC researchers have discovered a malware that uses JPHP, a PHP interpreter that runs on Java's Virtual Machine. This malware is distributed through ZIP file containing a Java Runtime Environment and various libraries which allow to run on the victim’s machine even if java is not installed. When the malware executes, it starts Java process that loads malicious JPHP file to download and installs other malware like Strrat and DanaBot.

Source: https://asec.ahnlab.com/ko/86829/

Intel Source:: TheRavenFile

Intel Name:: VanHelsing_Ransomware

Date of Scan:: 2025-03-22

Impact:: HIGH

Summary:: VanHelsing Ransomware emerged on March 18, 2025, targeting Windows systems primarily in the US and France. It encrypts files with .vanhelsing and .vanlocker extensions using a combination of Curve25519, AES, and Salsa20/ChaCha encryption algorithms, with XOR encoding for obfuscation. The ransomware drops a malicious executable named locker.exe and creates a mutex (Global\VanHelsing) to ensure only one instance runs at a time. It demands a ransom of $40,000 in Bitcoin and communicates with its infrastructure via Onion links for data leakage and ransom negotiation. The ransomware leverages nginx servers hosted by Xhost Internet Solutions.

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/VanHelsing%20Ransomware

Intel Source:: Cofense

Intel Name:: Clickbait_to_Catastrophe

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: Cofense researchers have discovered a phishing campaign targeting Meta Business account holders through fake Instagram alert claiming that user has violated advertising policies and that their ads are suspended. The email includes a Check more Details button that redirect to fake Meta support page. Once user reaches that page, they see Request review prompts to enter their name and business email, leading them to a fake chatbot. If the chatbot process fails, the attackers trick users to follow the fake System check instructions to fix their account which give the attackers access by registering their own authentication app. The attacker’s main goal is to hijack the account and steal sensitive information.

Source: https://cofense.com/blog/clickbait-to-catastrophe-how-a-fake-meta-email-leads-to-password-plunder

Intel Source:: Safe{Wallet}

Intel Name:: Safe_Wallet_Confirms_North_Korea_Crypto_Hack

Date of Scan:: 2025-03-21

Impact:: LOW

Summary:: Safe{Wallet} has confirmed that the $1.5 billion Bybit crypto heist was a highly sophisticated, state-sponsored attack carried out by North Korean hacking group TraderTraitor (Jade Sleet, PUKCHONG, UNC4899). The hackers compromised a Safe{Wallet} developer's macOS laptop by tricking them into downloading a malicious Docker project via social engineering. They then hijacked AWS session tokens, bypassing MFA security controls. The attack, which began on February 4, 2025, involved advanced tactics to erase traces, hindering investigation efforts.

Source: https://x.com/safe/status/1897663514975649938?s=09

Intel Source:: Hunt.IO

Intel Name:: Rust_Beacon_Delivers_Cobalt_Strike_to_South_Korea

Date of Scan:: 2025-03-21

Impact:: LOW

Summary:: Researchers at Hunt.IO have discovered a publicly exposed web server containing tools linked to an intrusion campaign targeting South Korean organizations. The server, active for less than 24 hours, hosted a Rust-compiled Windows executable delivering a modified version of Cobalt Strike, along with other tools like SQLMap, Web-SurvivalScan, and dirsearch. These tools suggest the actor exploited vulnerable web applications. Metadata indicates some attacks were successful, with government and commercial entities as the primary targets. The combination of a Rust-compiled loader and modified Cobalt Strike highlights the actor's approach to malware delivery and post-exploitation.

Source: https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea#Cobalt_Strike_Cat_Open_Directory_Host_Observables_and_IOCs

Intel Source:: Forescout

Intel Name:: New_Ransomware_Operator_Exploits_Fortinet_Vulnerability_Duo

Date of Scan:: 2025-03-21

Impact:: MEDIUM

Summary:: Forescout researchers have identified a series of intrusions exploiting two Fortinet vulnerabilities, starting with the compromise of Fortigate firewall appliances and culminating in the deployment of a new ransomware strain called SuperBlack. The intrusions are attributed to the threat actor "Mora_001," named after Slavic mythology, due to its use of Russian artifacts. This actor combines opportunistic attacks with connections to the LockBit ransomware ecosystem, highlighting the growing complexity of modern ransomware operations, where specialized teams collaborate to enhance their capabilities.

Source: https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/

Intel Source:: Welivesecurity

Intel Name:: MirrorFace_Targets_Europe_with_ANEL_Backdoor

Date of Scan:: 2025-03-21

Impact:: MEDIUM

Summary:: ESET researchers have discovered that the MirrorFace cyber espionage group expanded its operations to target a Central European diplomatic institute, marking their first attack on a European entity. The group is using the ANEL backdoor, previously linked to APT10, and deploying a customized version of AsyncRAT with a complex execution chain inside Windows Sandbox. The investigation also revealed updates in MirrorFace’s tactics, techniques, and tools (TTPs).

Source: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Intel Source:: BI.ZONE

Intel Name:: Squid_Werewolf_Poses_as_Job_Recruiters

Date of Scan:: 2025-03-20

Impact:: LOW

Summary:: BI.ZONE researchers have identified a phishing campaign by the Squid Werewolf (APT37) group, targeting victims with fake job offers from an industrial organization. The attack involves a password-protected ZIP file containing a malicious LNK file. When opened, the file executed a sequence of commands that decoded Base64 data and copied an executable (dfsvc.exe) to the startup folder for persistence. Additional malicious files, including a DLL and a PDF, are saved to run further malicious actions.

Source: https://bi.zone/eng/expertise/blog/sotni-tysyach-rubley-za-vashi-sekrety-kibershpiony-squid-werewolf-maskiruyutsya-pod-rekruterov/?utm_source=main&utm_medium=link&utm_campaign=sotni-tysyach-rubley-za-vashi-sekrety-kibershpiony-squid-werewolf-maskiruyutsya-pod-rekruterov

Intel Source:: CERT-AGID

Intel Name:: Phishing_Campaign_Targeting_UniPd

Date of Scan:: 2025-03-20

Impact:: LOW

Summary:: Researchers from CERT-AGID have identified a phishing campaign targeting the University of Padua in which attackers are stealing the credential from the student and employees of the university. They have created the two fake websites impersonating the university to trick users into entering their credentials.

Source: https://cert-agid.gov.it/news/campagna-di-phishing-mirata-a-unipd-circa-200-credenziali-compromesse/

Intel Source:: MalwareBytes

Intel Name:: Online_File_Converters_Installs_Malware

Date of Scan:: 2025-03-19

Impact:: LOW

Summary:: Malwarebytes researchers have observed that cybercriminals are creating fake online file conversion websites are creating that offer free services but actually deliver a malware. These sites often convert [.]doc to [.]pdf or merge multiple images into single .pdf. Once users are compromised, the malware steals sensitive information such as social Security Numbers, banking credentials, cryptocurrency wallets, email addresses and login passwords. Additionally, it can capture session tokens that allow cybercriminals to bypass multi-factor authentication.

Source: https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page