Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-02-15
Winnti_Group_Targeting_Japanese_Organisations
MEDIUM
+
Intel Source:
LAC Watch
Intel Name:
Winnti_Group_Targeting_Japanese_Organisations
Date of Scan:
2025-02-15
Impact:
MEDIUM
Summary:
LAC Watch researchers have uncovered a new attack campaign dubbed RevivalStone conducted by Chinese threat actor Winnti group also known as APT41 targeting Japanese companies such as manufacturing, materials, and energy sectors. This campaign has been active since March 2024 in which attackers exploiting SQL Injection vulnerabilities in ERP systems to gain initial access. They install web shells like China Chopper, Behinder, and sqlmap file uploader which allow them to move through the network, steal credentials and gather intelligence. After getting the access, the attackers deploy advanced version of Winnti malware and use AES and Chacha20 encryption method to secure communications.
Source: https://www.lac.co.jp/lacwatch/report/20250213_004283.html
2025-02-15
Analyzing_DEEP_DRIVE
MEDIUM
+
Intel Source:
Securonix Threat Labs
Intel Name:
Analyzing_DEEP_DRIVE
Date of Scan:
2025-02-15
Impact:
MEDIUM
Summary:
Securonix researchers have identified an ongoing campaign called DEEP#DRIVE targeting South Korean businesses, government agencies and cryptocurrency users. The attackers use phishing emails embedded with malicious attachment disguise as legitimate documents such as work logs, insurance forms and crypto-related files to trick victims into opening them. Once user opens these files, a LNK file initiates a PowerShell script that install malware which gather system information and sends it back to the attackers through Dropbox. These files often in .hwp, .xlsx, .pptx formats that hosted on Dropbox. Researchers have attributed this campaign to Kimsuky, a North-Korean APT group based on their TTPs and the use of same Dropbox technique in prior campaigns.
Source: https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
2025-02-15
JavaScript_to_C2_Server_Malware
LOW
+
Intel Source:
CYFIRMA
Intel Name:
JavaScript_to_C2_Server_Malware
Date of Scan:
2025-02-15
Impact:
LOW
Summary:
Cyfirma researchers have analyzed a sophisticated multi-stage malware attack using obfuscation, steganography, and covert communication to bypass detection. It begins with a disguised JavaScript file that executes a PowerShell script, which downloads a malicious JPG image and text file containing hidden executables. These payloads deploy Stealer malware to steal sensitive data, including credentials and browser information. The stolen data is sent to a Telegram bot, allowing attackers to maintain persistence while evading traditional security measures. The attack's use of legitimate services, encryption, and multi-layered obfuscation makes detection and mitigation difficult.
Source: https://www.cyfirma.com/research/javascript-to-command-and-control-c2-server-malware/
2025-02-14
Fake_Media_Targets_German_Elections
LOW
+
Intel Source:
Recorded Future
Intel Name:
Fake_Media_Targets_German_Elections
Date of Scan:
2025-02-14
Impact:
LOW
Summary:
Researchers from Insikt Group have discovered ongoing Russian influence activities aimed at the German federal elections on February 23, 2025. These operations, linked to networks like Doppelgänger, Operation Overload, CopyCop, and Operation Undercut, seek to raise sociopolitical issues, alter public discourse, and undermine trust in democratic institutions.
Source: https://www.recordedfuture.com/research/stimmen-aus-moskau-russian-influence-operations-target-german-elections
2025-02-14
Fake_Etsy_Invoice_Scam
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Fake_Etsy_Invoice_Scam
Date of Scan:
2025-02-14
Impact:
LOW
Summary:
Malwarebytes researcher have identified a phishing campaign in which cybercriminals targeting Etsy sellers. The campaign starts with phishing emails that contains a PDF invoice hosted on a legitimate Etsy domain (etsystatic.com). The attached PDF contains a link that ask seller to confirm their identity or verify account. Once seller clicks on the link. It redirects the seller to fake Etsy login page to design to steal payment information which scammers can then use for fraudulent purchases or sell them on the dark web.
Source: https://www.malwarebytes.com/blog/news/2025/02/fake-etsy-invoice-scam-tricks-sellers-into-sharing-credit-card-information
2025-02-13
REF7707_Campaign_Targeting_South_America
MEDIUM
+
Intel Source:
Elastic
Intel Name:
REF7707_Campaign_Targeting_South_America
Date of Scan:
2025-02-13
Impact:
MEDIUM
Summary:
Researchers from Elastic Security Labs have discovered a cyber espionage campaign called REF7707 targeting the foreign ministry of a South American country. This campaign is linked to previous attacks in South Asian countries. The attackers of REF7707 campaign relies on advanced malwares such as FINALDRAFT, GUIDLOADER and PATHLOADER which are designed to infiltrate systems, execute malicious code and exfiltrate sensitive data. FINALDRAFT malware has both Window and Linux versions and is capable of stealing data and injecting itself into other programs. The main tactic is using in this campaign cloud services and third-party platforms for C2 communication.
Source: https://www.elastic.co/security-labs/fragile-web-ref7707
2025-02-13
The_BadPilot_Campaign
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
The_BadPilot_Campaign
Date of Scan:
2025-02-13
Impact:
MEDIUM
Summary:
Microsoft researchers have uncovered a subgroup within the Russian state actor called Seashell Blizzard conducting cyberattacks globally and compromising internet facing infrastructure to maintain long-term access to high-value targets. This group has been active since 2021 and is known for stealthy persistence, credential theft and lateral movement within compromised networks. It targets critical sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government institutions. This group has leveraged published vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to gain initial access. It follows three primary tactics like Targeted Attacks – Using phishing, and backdoors, Opportunistic Attacks - exploiting vulnerabilities in internet-facing infrastructure to gain access and Hybrid Attacks – Using supply-chain compromises.
Source: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
2025-02-13
China_Espionage_Tools_Used_in_Ransomware_Attack
LOW
+
Intel Source:
Symantec
Intel Name:
China_Espionage_Tools_Used_in_Ransomware_Attack
Date of Scan:
2025-02-13
Impact:
LOW
Summary:
In late 2024, tools traditionally used by China-linked espionage groups were deployed in a ransomware attack against a South Asian software company. The attacker exploited a vulnerability in Palo Alto's PAN-OS firewall to gain access, steal cloud credentials, and encrypt the target's machines with RA World ransomware. Interestingly, the tools used were the same as those involved in previous espionage attacks, including the PlugX backdoor. This unusual blend of espionage tools with ransomware raises questions about whether China-linked actors are expanding into financially motivated attacks, a behavior typically seen in other nations like North Korea. The motives behind this shift remain unclear, but it suggests evolving tactics in cyber threats.
Source: https://www.security.com/threat-intelligence/chinese-espionage-ransomware
2025-02-12
Nigerian_Cybercriminals_Distributing_XLogger
LOW
+
Intel Source:
Cyberarmor
Intel Name:
Nigerian_Cybercriminals_Distributing_XLogger
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
Researchers from Cyberarmor have uncovered a malware campaign conducted by Nigerian cybercriminals to collect email address for distributing malware. The attackers start with email harvesting where they gather a list of potential victims through social media, dark forums and Google Dorking techniques to find publicly available email addresses. They then launch phishing campaign from spoofed domains and use Gammadyne Mailer to send bulk emails while hiding their identity with remote access tools. Once a recipient opens the infected file, the XLogger malware silently steals their password and sensitive data from the system and then send all the stolen data to attacker’s telegram channel for further malicious activities.
Source: https://cyberarmor.tech/inside-a-malware-campaign-a-nigerian-hackers-perspective/
2025-02-12
StrelaStealer_Targeting_German_Speaking_Users
LOW
+
Intel Source:
Palo Alto
Intel Name:
StrelaStealer_Targeting_German_Speaking_Users
Date of Scan:
2025-02-12
Impact:
LOW
Summary:
Recent activity from StrelaStealer continues to utilize WebDAV servers, including the server at the IP address, to host malware. As of February 10, 2025, decoy PDF files are being used in the infection process, which is non-malicious but contains a blurred image to mislead victims. The malware is only triggered when the victim's Windows system has specific German language and locale settings (Austria, Germany, Liechtenstein, Luxembourg, Switzerland).
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-10-IOCs-for-StrelaStealer-activity.txt

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.