Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Socket

Intel Name:: Malicious_NPM_Crypto_Wallet_Drainers

Date of Scan:: 2025-06-06

Impact:: LOW

Summary:: Researchers at Socket have identified four malicious npm packages designed to drain Ethereum and BSC cryptocurrency wallets. These packages, created by an actor named @crypto-exploit (registered with a Russian webmail address) between three to four years ago, collectively amassed over 2,100 downloads. The malware, embedded within packages like pancake_uniswap_validators_utils_snipe and env-process, uses obfuscated JavaScript that relies on environment variables for wallet private keys and then attempts to transfer 80-85% of the victim's wallet balance to a threat actor-controlled address. This known tactic aims for stealth and persistence by leaving some funds for gas fees.

Source: https://socket.dev/blog/malicious-npm-packages-target-bsc-and-ethereum

Intel Source:: Any.Run

Intel Name:: Lazarus_Stealer_Targets_Professionals

Date of Scan:: 2025-06-05

Impact:: LOW

Summary:: Researchers at ANY.RUN have found OtterCookie, a new JavaScript-based stealer malware attributed to the North Korean Lazarus Group, targeting finance and technology professionals. First observed in a campaign around June 2025, attackers employ social engineering, often through fake job offers or freelance bug fix tasks on platforms like LinkedIn, to deliver what appears to be legitimate Node.js code hosted in a Bitbucket repository. The malware's novelty lies in its execution method: an intentionally flawed piece of code triggers an error handler that fetches and executes a heavily obfuscated JavaScript payload from an external API, reportedly hosted in Finland.

Source: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

Intel Source:: Sysdig

Intel Name:: AI_Tool_Misconfig_Exploited_for_Malicious_Payload

Date of Scan:: 2025-06-05

Impact:: MEDIUM

Summary:: The Sysdig Threat Research Team have reported an incident where a threat actor exploited a misconfigured, internet-exposed Open WebUI instance to deploy an AI-generated Python payload. This payload targeted both Linux and Windows systems, downloading T-Rex and XMRig cryptominers for Monero and Kawpow, establishing persistence via systemd services, and using a Discord webhook for C2. The financially motivated attack leveraged uncommon defense evasion tools like processhider and argvhider (an LD_PRELOAD technique to hide process arguments) on Linux. The Windows variant was more sophisticated, deploying a Java-based loader (application-ref.jar) which in turn executed secondary malicious JARs containing infostealers targeting Chrome extensions and Discord tokens, and employed multiple DLLs for XOR decoding and sandbox evasion.

Source: https://sysdig.com/blog/attacker-exploits-misconfigured-ai-tool-to-run-ai-generated-payload/

Intel Source:: Gi7w0rm (Medium)

Intel Name:: HuluCaptcha_CAPTCHA_Deploys_Malware

Date of Scan:: 2025-06-04

Impact:: LOW

Summary:: Researchers from Gi7w0rm have uncovered a new malicious campaign called HuluCaptcha which uses fake CAPTCHA pages to distribute malware such as Lumma Stealer, Aurotun Stealer and Donut Injector. The attackers are compromising legitimate websites such as the German Association for International Law and the Los Angeles Caregiver Resource Center by injecting malicious JavaScript that redirects users to fake CAPTCHA screens designed to resemble Cloudflare. These deceptive pages trick users into executing malicious commands via the Windows Run dialog which installs malware. The campaign also includes tools for victim tracking, customized PowerShell payload generation and indications of an affiliate tracking system aimed at scaling the operation.

Source: https://gi7w0rm.medium.com/hulucaptcha-an-example-of-a-fakecaptcha-framework-9f50eeeb2e6d

Intel Source:: Wiz.io

Intel Name:: JINX_0132_DevOps_Cryptojacking_Campaign

Date of Scan:: 2025-06-03

Impact:: LOW

Summary:: Researchers at Wiz have identified a widespread cryptojacking campaign, attributed to the threat actor JINX-0132, targeting publicly accessible and misconfigured DevOps tools such as HashiCorp Nomad, Consul, Docker API, and Gitea, including instances in major cloud environments. Active as of June 2025, JINX-0132 exploits known vulnerabilities and insecure default settings—like Nomad's job creation or Consul's health checks—to achieve remote code execution and deploy the XMRig Monero miner for financial gain.

Source: https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign

Intel Source:: SOC Radar

Intel Name:: NightSpire_Ransomware

Date of Scan:: 2025-06-03

Impact:: MEDIUM

Summary:: Researchers from Soc Radar have uncovered a new financially motivated ransomware group called NightSpire that emerged in early 2025. The group employ a double extortion technique in which they steal sensitive data from victims and threaten to publish it on their data leak site if the ransom is not paid. NightSpire primarily targets small to medium-sized organisation including Technology, IT Services, Financial Services, Manufacturing, Construction, Education and Healthcare sectors across the U.S., Taiwan, Hong Kong, Egypt and several European nations. The group gain initial access by exploiting known vulnerabilities in VPNs, firewalls, or outdated web servers. Once inside, they use legitimate system tools such as PowerShell or PsExec to move laterally, steal credentials and escalate privileges. Before deploying ransomware, they exfiltrate data to attacker-controlled servers using tools like Rclone or MEGA. NightSpire leverages secure channels like ProtonMail or Telegram to communicates with victims.

Source: https://socradar.io/dark-web-profile-nightspire-ransomware/

Intel Source:: ASEC

Intel Name:: ViperSoftX_Targeting_Cryptocurrency_Users

Date of Scan:: 2025-06-03

Impact:: LOW

Summary:: ASEC researchers have observed the ViperSoftX threat actor targeting cryptocurrency users across the globe with recent attacks in Korea. This multi-stage malware campaign has been active for several years, aiming for financial gain by stealing cryptocurrency-related information and hijacking transactions. ViperSoftX gains initial access through pirated software or malicious torrents files. Once inside a system, it establishes persistence via scheduled tasks and obfuscated PowerShell scripts. The malware then deploys malicious tools including downloaders, information stealers like TesseractStealer, clipboard manipulators (ClipBanker) to change wallet addresses and RATs such as Quasar RAT and PureHVNC, communicating with C2 servers over HTTP and DNS. It can also monitor clipboard activity for cryptocurrency wallet addresses and BIP39 recovery phrases, exfiltrating browser data and system information and executing arbitrary commands from the attacker.

Source: https://asec.ahnlab.com/ko/88265/

Intel Source:: CISA

Intel Name:: APT_28_Targeting_Western_Logistics_and_Technology_Entities

Date of Scan:: 2025-06-03

Impact:: MEDIUM

Summary:: A Joint advisory has been issued by CISA, NSA, FBI and international partners warns warns that the GRU’s Unit 26165 also known as APT28 or Fancy Bear has been conducting a long-running cyber espionage campaign targeting Western logistics and technology companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The threat actor employs multiple tactics and technique to gain initial access including password spraying, spearphishing, exploiting vulnerabilities (like Outlook, Roundcube, and WinRAR) and abusing SOHO devices and VPNs. More recently, they have expanded their activity to include targeting internet-connected cameras at Ukraine and bordering NATO countries to monitor aid shipments. Once inside a system, the threat actor conduct reconnaissance and often use tools like Impacket, PsExec, Certipy, and ADExplorer for lateral movement and data exfiltration, focusing on sensitive information related to aid shipments.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a

Intel Source:: BitMEX

Intel Name:: Lazarus_Targeting_Crypto_via_Phishing

Date of Scan:: 2025-06-02

Impact:: MEDIUM

Summary:: BitMEX researchers have analyzed the Lazarus Group, linked to the North Korean government, continues its financially motivated campaigns against the cryptocurrency sector. Threat actors employ initial phishing and social engineering, such as recent LinkedIn pretexts for fake web3 project collaborations, to trick victims into executing malicious code often hosted in private GitHub repositories. This initial payload, as detailed by BitMEX, exfiltrates victim metadata to a misconfigured Supabase instance and deploys a second-stage JavaScript credential stealer, resembling "BeaverTail," aimed at pilfering browser data and cryptocurrency wallet access.

Source: https://blog.bitmex.com/bitmex-busts-lazarus-group/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_53_Military_Themed_LNK_Attacks

Date of Scan:: 2025-06-02

Impact:: MEDIUM

Summary:: The 360 Advanced Threat Research Institute have recently captured VBScript samples attributed to APT-C-53 (Gamaredon), an advanced persistent threat group active since 2013 known for targeting government and military entities for intelligence theft. This campaign employs highly obfuscated VBS scripts and malicious LNK shortcut files, using military intelligence themes as bait to entice users into executing payloads via social engineering. The attackers utilize a phased deployment mechanism, achieving persistence through infected user files, registry modifications, and scheduled tasks, ultimately aiming to exfiltrate sensitive information. Forged HTTP request headers, including User-Agent and Referer fields referencing Ukrainian government domains, are used for command-and-control communication, which involves Base64 encoded data.

Source: https://mp.weixin.qq.com/s/sVc2dLNJwbpgEzBXkFyBRw

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page