Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-04-16
Exploitation_of_Triofox_Servers
LOW
+
Intel Source:
Huntress
Intel Name:
Exploitation_of_Triofox_Servers
Date of Scan:
2025-04-16
Impact:
LOW
Summary:
Researchers from Huntress have found active exploitation of a critical vulnerability CVE-2025-30406 influencing Gladinet CentreStack and Triofox servers, which has been included to CISA's Known Abused Vulnerabilities catalog. The flaw, evaluated 9.0 in severity, stems from hardcoded cryptographic keys in default setup files (web.config) that can be abused for remote code execution through ASP.NET ViewState deserialization.
Source: https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
2025-04-16
Global_Rise_of_Akira_Ransomware
MEDIUM
+
Intel Source:
Dark Atlas
Intel Name:
Global_Rise_of_Akira_Ransomware
Date of Scan:
2025-04-16
Impact:
MEDIUM
Summary:
Researchers from Dark Atlas have discovered that the Akira ransomware group, which has been operating since at least March 2023, has rapidly expanded into a substantial cyber threat, hitting over 250 firms and obtaining approximately $42 million in ransom payments. Akira uses a double-extortion methodology that combines data encryption and exfiltration, threatening to disclose stolen information if victims fail to pay. Initial access is usually obtained by compromising VPN credentials and vulnerabilities in Cisco products, followed by lateral movement with programs such as AnyDesk, RClone, and WinSCP.
Source: https://darkatlas.io/blog/akira-ransomware-road-to-glory
2025-04-16
Advanced_macOS_Spyware_PasivRobber
LOW
+
Intel Source:
Kandji
Intel Name:
Advanced_macOS_Spyware_PasivRobber
Date of Scan:
2025-04-16
Impact:
LOW
Summary:
Kandji researchers, following the discovery of a suspicious file named 'wsus' on VirusTotal on March 13, 2025, uncovered PasivRobber, a sophisticated, multi-component macOS spyware suite. This threat appears specifically designed to target Chinese users, indicated by its focus on data exfiltration from applications popular in China, such as WeChat and QQ, alongside web browsers and email clients. The research suggests a potential link between PasivRobber and Xiamen Meiya Pico Information Co., Ltd., a Chinese company previously identified for developing surveillance and forensic tools. PasivRobber demonstrates advanced capabilities and a deep understanding of macOS internals, employing deceptive naming conventions (e.g., 'goed' mimicking 'geod', '.gz' extension for dylibs), persistence via LaunchDaemons, process injection using tools like 'apse' (similar to insert_dylib), and runtime key extraction from messaging apps using Frida. The suite communicates via RPC and FTP for updates and potential command execution, including remote uninstallation. The inherent stealth, comprehensive data harvesting scope, and sophisticated TTPs signify a high risk of extensive espionage and sensitive data compromise for targeted individuals and potentially organizations employing affected macOS systems.
Source: https://www.kandji.io/blog/pasivrobber
2025-04-16
BRICKSTORM_Backdoor_Hits_Windows
MEDIUM
+
Intel Source:
NVISO
Intel Name:
BRICKSTORM_Backdoor_Hits_Windows
Date of Scan:
2025-04-16
Impact:
MEDIUM
Summary:
NVISO's researchers have analyzed the BRICKSTORM, a persistent espionage backdoor attributed to the China-nexus cluster UNC5221, now identified targeting Windows environments in addition to its previous Linux presence. Employed in long-running campaigns since at least 2022, BRICKSTORM facilitates intelligence gathering against European industries relevant to Chinese strategic interests, likely focusing on intellectual property and trade secret theft. The backdoor utilizes sophisticated command and control techniques, including DNS-over-HTTPS (DoH) for initial C2 resolution and a multi-layered TLS tunneling approach (up to three layers) over WebSockets, leveraging legitimate cloud providers like Cloudflare and Heroku as first-tier proxies to evade detection.
Source: https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf
2025-04-15
BPFDoor_Targets_Telecom_and_Finance
LOW
+
Intel Source:
Trend Micro
Intel Name:
BPFDoor_Targets_Telecom_and_Finance
Date of Scan:
2025-04-15
Impact:
LOW
Summary:
Trend Micro researchers have found a previously unknown controller tied to the BPFDoor malware employed by the APT group Red Menshen (also known as Earth Bluecrow), which allows attackers to open a reverse shell for further infiltration into affected networks. BPFDoor, a stealthy state-sponsored backdoor that uses Berkeley Packet Filtering (BPF), has been detected targeting the telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
Source: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
2025-04-15
ResolverRAT_Malware
LOW
+
Intel Source:
Morphisec
Intel Name:
ResolverRAT_Malware
Date of Scan:
2025-04-15
Impact:
LOW
Summary:
Researchers at Morphisec have identified a new remote access trojan called ResolverRAT which is being used to target healthcare and pharmaceutical sectors. The attackers send phishing emails in local languages such as Hindi, Italian, Turkish, and others by using fear-inducing themes like legal trouble or copyright violations to trick users into downloading a malicious file. The malware uses DLL side loading technique to install the malware that runs the malware in memory. It employs on multiple persistence method by using the Windows Registry and the file system. ResolverRAT also uses certificate-based authentication, IP rotation, and certificate pinning to remain connected to its C2 servers.
Source: https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/
2025-04-15
PyArmor_Obfuscated_Malicious_Python_Scripts
LOW
+
Intel Source:
ISC.SANS
Intel Name:
PyArmor_Obfuscated_Malicious_Python_Scripts
Date of Scan:
2025-04-15
Impact:
LOW
Summary:
Researchers at ISC.SANS have observed malicious actors utilizing the legitimate PyArmor tool to obfuscate Python-based stealer malware, hindering detection and analysis. This multi-stage attack, reported in April 2025, begins with JavaScript executing PowerShell to download a zipped Python environment containing the obfuscated payload. This indicates that the malware is designed to steal credentials and cryptocurrency wallet data, using obfuscation techniques to evade static security measures. Additionally, it likely employs WMI queries for reconnaissance or to bypass sandboxes.
Source: https://isc.sans.edu/diary/Obfuscated+Malicious+Python+Scripts+with+PyArmor/31840/
2025-04-15
Toll_Road_Smishing_Scam_in_the_US
LOW
+
Intel Source:
Cisco Talos
Intel Name:
Toll_Road_Smishing_Scam_in_the_US
Date of Scan:
2025-04-15
Impact:
LOW
Summary:
Since October 2024, Cisco Talos researchers have identified a massive and ongoing SMS phishing (smishing) campaign aimed at toll road users in numerous US states. Financially motivated threat actors impersonate toll payment systems such as E-ZPass in order to steal personal and financial information from their victims. Victims receive SMS messages claiming a tiny unpaid toll cost, which prompts them to visit a fake domains specific to their state. These websites deceive users with bogus CAPTCHAs and false bills, eventually forcing them to enter sensitive information such as credit card numbers.
Source: https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/
2025-04-14
Sapphire_Werewolf_Targeting_Energy_Sector
HIGH
+
Intel Source:
BI.ZONE
Intel Name:
Sapphire_Werewolf_Targeting_Energy_Sector
Date of Scan:
2025-04-14
Impact:
HIGH
Summary:
BI.ZONE researchers have uncovered that the Sapphire Werewolf threat cluster is actively targeting energy sector organizations using an enhanced version of the open-source Amethyst information stealer. Delivering through phishing emails disguised as HR-related memos containing malicious RAR archives, the stealer is executed via a .NET loader that runs a Base64-encoded payload directly in memory. To avoid sandbox detection, this updated variant features advanced anti-virtualization techniques—checking registry keys, WMI, hardware components, and services. It also uses Triple DES encryption to obfuscate configuration data. The attack primarily aims to steal credentials and exfiltrate sensitive data from various applications, including web browsers (Chrome, Opera, Yandex), Telegram, FileZilla, SSH clients, remote desktop tools, VPNs, and even documents stored on removable media.
Source: https://bi.zone/eng/expertise/blog/kamen-ogranennyy-sapphire-werewolf-ispolzuet-novuyu-versiyu-amethyst-stealer-dlya-atak-na-tek/
2025-04-14
GOFFEE_Targets_Russian_Entities
LOW
+
Intel Source:
Securelist
Intel Name:
GOFFEE_Targets_Russian_Entities
Date of Scan:
2025-04-14
Impact:
LOW
Summary:
Securelist researchers have discovered that the threat actor GOFFEE continues to target Russian enterprises, namely in the media, telecommunications, construction, government, and energy sectors. Since 2022, GOFFEE has relied on spear phishing emails, originally employing modified Owowa modules and, by 2024, patched malicious instances of explorer.exe. In the second part of 2024, the group released a new PowerShell-based implant known as "PowerModul" and began replacing the PowerTaskel agent with a binary Mythic agent for lateral movement. GOFFEE further expanded its infection chains to include Word documents with malicious VBA macros and RAR packages with double-extension executables.
Source: https://securelist.com/goffee-apt-new-attacks/116139/

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.