Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-05-25
PureRAT_Spam_Attacks_in_Russia
LOW
+
Intel Source:
Securelist
Intel Name:
PureRAT_Spam_Attacks_in_Russia
Date of Scan:
2025-05-25
Impact:
LOW
Summary:
Securelist researchers discovered an increase in attacks against Russian enterprises utilizing the Pure malware family, specifically PureRAT and PureLogs. This campaign has been active since March 2023, and it experienced a fourfold growth in early 2025 compared to the same period in 2024. The campaign, which is distributed via spam emails containing malicious RAR files or links, deceives users by using accounting-related file names and double extensions such as.pdf.rar.
Source: https://securelist.ru/purerat-attacks-russian-organizations/112619/
2025-05-24
Fake_Zoom_Invites_Steal_Credentials
LOW
+
Intel Source:
Spider Labs
Intel Name:
Fake_Zoom_Invites_Steal_Credentials
Date of Scan:
2025-05-24
Impact:
LOW
Summary:
SpiderLabs researchers have identified a phishing campaign targeting corporate users with fake Zoom meeting invitations designed to steal login credentials. The attackers leverage urgent and legitimate looking emails to lure recipients into clicking malicious links. These links leads to deceptive Zoom pages that include pre-recorded videos making it appears as live meeting is in progress but after a fake disconnection message, it asks users to enter their credentials on a fake screen. Once entered, the stolen information is immediately sent to the attackers through Telegram. The primary objective of this campaign is to steal login credentials which could lead to account takeovers.
Source: https://x.com/SpiderLabs/status/1924424257083179462
2025-05-23
W3LL_Phishing_Kit_Hits_Outlook_Users
MEDIUM
+
Intel Source:
Hunt.IO
Intel Name:
W3LL_Phishing_Kit_Hits_Outlook_Users
Date of Scan:
2025-05-23
Impact:
MEDIUM
Summary:
Researchers from Hunt.IO have discovered a phishing campaign leveraging the W3LL Phishing Kit to target Microsoft Outlook credentials. This Phishing-as-a-Service (PaaS) tool, initially identified by Group-IB in 2022 and available through the W3LL Store marketplace, enables attackers to conduct adversary-in-the-middle (AiTM) attacks to hijack session cookies and bypass multi-factor authentication. The observed campaign utilized an open directory on IP address to host W3LL phishing kit components, including IonCube obfuscated PHP files in folders named "OV6". The phishing lure involved a fake Adobe Shared File service webpage that, upon attempted login, sent credentials via a POST request, specifically to a /wazzy.php endpoint.
Source: https://hunt.io/blog/phishing-kit-targets-outlook-credentials
2025-05-23
TA406_Targeting_Government_Entities_in_Ukraine
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
TA406_Targeting_Government_Entities_in_Ukraine
Date of Scan:
2025-05-23
Impact:
MEDIUM
Summary:
Researchers from ProofPoint have uncovered a phishing campaigns run by DPRK state-sponsored actor TA406 also known as Opal Sleet and Konni targeting government entities in Ukraine. The campaigns focus on credential harvesting and malware deployment to collect intelligence related to the ongoing Russian invasion. The attackers impersonate members of think tank and send fake Microsoft security alerts to trick people into opening malicious files in HTML, CHM, ZIP or LNK formats. These files execute hidden PowerShell script that gathers host data, establishes persistence via autorun batch files and send the data to servers controlled by the attackers.
Source: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
2025-05-23
PyBitmessage_Backdoor_Malware
LOW
+
Intel Source:
ASEC
Intel Name:
PyBitmessage_Backdoor_Malware
Date of Scan:
2025-05-23
Impact:
LOW
Summary:
ASEC researchers have identified a hidden backdoor that installs alongside a Monero cryptocurrency miner which leverages the PyBitmessage library for C2 communications. The initial malware decrypts and deploys both the coinminer and a filess PowerShell based backdoor that executes directly in memory and downloads additional malicious tools from Github or Russian file hosting services. The attacker’s primary motive is to exploit compromised system for cryptocurrency mining while establishing persistent access through the backdoor for potential further attacks.
Source: https://asec.ahnlab.com/ko/88104/
2025-05-22
Koishi_Chatbot_Plugin_Steals_Messages
LOW
+
Intel Source:
Socket
Intel Name:
Koishi_Chatbot_Plugin_Steals_Messages
Date of Scan:
2025-05-22
Impact:
LOW
Summary:
Researchers at Socket have discovered a malicious npm package, koishi-plugin-pinhaofa, designed to exfiltrate data from Koishi chatbots. Marketed as a spelling auto-correct helper, the plugin, once installed, silently scans all chatbot messages for any eight-character hexadecimal string. Upon finding such a string, which could represent sensitive data like commit hashes, API tokens, or checksums, the plugin forwards the entire message content to a hardcoded QQ account (UIN: 1821181277) controlled by the threat actor, who uses the npm alias kuminfennel. This exposes any secrets or credentials embedded within or surrounding the trigger string. This activity represents a supply chain attack targeting chatbot frameworks, exploiting the trust developers place in community plugins and the unrestricted access these plugins often have within the bot process.
Source: https://socket.dev/blog/malicious-koishi-chatbot-plugin?utm_medium=feed
2025-05-22
SEO_Poisoning_Infostealer_Trends
LOW
+
Intel Source:
ASEC
Intel Name:
SEO_Poisoning_Infostealer_Trends
Date of Scan:
2025-05-22
Impact:
LOW
Summary:
Researchers at ASEC have identified ongoing trends in Infostealer malware spread throughout April 2025, focusing on the continued use of crack and keygen disguises to entice victims. These threats, typically promoted by SEO poisoning to appear at the top of search results, included well-known Infostealers such as LummaC2, Vidar, and StealC.
Source: https://asec.ahnlab.com/en/88062/
2025-05-22
AutoIT_Based_AsyncRAT_Delivery_Chain
LOW
+
Intel Source:
ISC.SANS
Intel Name:
AutoIT_Based_AsyncRAT_Delivery_Chain
Date of Scan:
2025-05-22
Impact:
LOW
Summary:
Researchers at ISC.SANS have found a malware campaign that delivers a RAT through a dual-layer AutoIT script framework. The first executable downloads an AutoIT interpreter and a second obfuscated AutoIT script that decodes and executes commands using a custom Wales() function. Persistence is enabled using a custom shortcut in the Startup folder that runs JavaScript and initiates further execution. The final payload, injected into a jsc.exe process as a DLL called Urshqbgpm.dll, attempts to communicate with a known AsyncRAT C2 server and includes references to PureHVNC functionality.
Source: https://isc.sans.edu/diary/31960
2025-05-22
Tycoon2FA_Phishing_Using_Malformed_URLs
MEDIUM
+
Intel Source:
SpiderLabs
Intel Name:
Tycoon2FA_Phishing_Using_Malformed_URLs
Date of Scan:
2025-05-22
Impact:
MEDIUM
Summary:
SpiderLabs researchers have identified that Tycoon2FA-linked phishing campaigns are targeting Microsoft 365 users. These campaigns leverage malformed URLs containing backslash characters (https:\\) instead of forward slashes. Despite this unconventional formatting, most web browsers still resolve these links, leading unsuspecting victims to credential harvesting pages. This technique is employed by threat actors to bypass email security filters and evade URL-based detection systems, ultimately aiming to steal Microsoft 365 credentials. The infrastructure observed involves domains hosted on services like Azure and Cloudflare Workers.
Source: https://x.com/SpiderLabs/status/1924486856902586689
2025-05-22
Confluence_Hit_by_ELPACO_Ransomware
MEDIUM
+
Intel Source:
The DFIR Report
Intel Name:
Confluence_Hit_by_ELPACO_Ransomware
Date of Scan:
2025-05-22
Impact:
MEDIUM
Summary:
The DFIR Report researchers have observed that an unpatched, internet-facing Confluence server was compromised via CVE-2023-22527, leading to the deployment of ELPACO-team ransomware (a Mimic variant) approximately 62 hours later. The threat actor initially used the exploit to deploy a Metasploit payload and establish C2 via IP. Following initial access, the actor performed privilege escalation using RPCSS named pipe impersonation, created a local administrator account ("noname"), and installed AnyDesk for persistent remote access via a self-hosted server. Extensive discovery, including network scanning with SoftPerfect NetScan and attempted Zerologon exploitation, preceded credential harvesting using Mimikatz and Impacket's Secretsdump. Lateral movement was achieved using the compromised domain administrator credentials via Impacket wmiexec and RDP.
Source: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.