Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-07-10
A_Deep_Dive_into_XWorm_Malware
MEDIUM
+
Intel Source:
Splunk
Intel Name:
A_Deep_Dive_into_XWorm_Malware
Date of Scan:
2025-07-10
Impact:
MEDIUM
Summary:
Researchers at Splunk have identified XWorm that employs a rotating arsenal of droppers, stagers, and payloads to evade detection and maintain persistent access on Windows endpoints . It leverages phishing lures impersonating invoices, shipping notices, or business requests to trick users into executing malicious attachments. XWorm is delivered in multiple formats such as .exe, .js, .vbs, .bat, .hta, .lnk and it uses advanced-evasion techniques such as AMSI bypass, ETW disablement, and registry-based Defender exclusions. It employs persistence by creating registry keys, scheduled tasks, startup folder, DLL side-loading, and USB or removable-media. Once active, it performs discovery of AV products, video-capture drivers, and graphics card information before establishing HTTP-based C2 communications. The mail objective of this malware is unauthorized data access, potential lateral movement, and long-term undetected system compromise.
Source: https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html
2025-07-10
LogoKit_Phishing_Campaign
LOW
+
Intel Source:
Cyble
Intel Name:
LogoKit_Phishing_Campaign
Date of Scan:
2025-07-10
Impact:
LOW
Summary:
Researchers at Cyble have uncovered an ongoing phishing campaign that leverages LogoKit which is designed to steal login credentials by impersonating legitimate organizations. The threat actors are masquerading entities such as HunCERT, Kina Bank, the Catholic Church, and logistics companies to deceive users into entering their credentials. These fraudulent pages are hosted on Amazon S3 and Render and appear legitimate by incorporating Cloudflare Turnstile (a CAPTCHA service) and automatically retrieve real logos from Clearbit and Google Favicon. Once a victim enters their credentials, the data is exfiltrated to a C2 server through an HTTP POST request. The stolen credentials can enable attackers to gain unauthorized access, carry out business email compromise (BEC), move laterally within networks, and potentially cause major data breaches.
Source: https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/
2025-07-09
Batavia_Malware_Targeting_Russia
LOW
+
Intel Source:
Securelist
Intel Name:
Batavia_Malware_Targeting_Russia
Date of Scan:
2025-07-09
Impact:
LOW
Summary:
Securelist researchers have discovered a new malware strain called Batavia that emerged in July 2024. This malware targets Russian industrial enterprises and is delivered through spear-phishing emails disguised as business contracts. When a victim clicks the malicious link, it downloads a VBScript- downloader that decrypts and installs additional payloads which involves two separate executable files —WebView.exe and javav.exe, are used to collect sensitive files such as Microsoft Office documents, system logs, and files from USB drives or other removable media. Additionally, Batavia takes screenshots of the victim's screen and computes file hashes to avoid uploading duplicate files. The malware communicates with its C2 server over HTTPS and obfuscates its payloads using XOR and Base64 encoding. To maintain persistence, it creates a shortcut in the Start Menu's startup folder, ensuring execution on each user login.
Source: https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/
2025-07-09
NordDragonScan_Target_Window_Systems
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
NordDragonScan_Target_Window_Systems
Date of Scan:
2025-07-09
Impact:
MEDIUM
Summary:
Researchers at FortiGuard have discovered a new information-stealing malware called NordDragonScan, targeting Windows systems primarily in Ukraine’s government and energy sectors. The malware is distributed through shortened URLs and malicious shortcut files which executes a malicious HTA script that installs a .NET-based payload. It leverages a legitimate PowerShell binary to downloads a hidden payload and installs a file named adblocker.exe inside a folder named NordDragonScan. Once installed, it collects system information, capture screenshots, steals files and PDFs from common directories and extracts saved browser data from Chrome and Firefox. Additionally, it also scans the local network to identify other reachable systems and exfiltrates all collected data to a remote server over HTTPS. Victims are lured with fake Ukrainian-language documents related to government and energy sector communications.
Source: https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows
2025-07-09
XMRig_Global_Cryptomining_Campaign
LOW
+
Intel Source:
GData
Intel Name:
XMRig_Global_Cryptomining_Campaign
Date of Scan:
2025-07-09
Impact:
LOW
Summary:
Researchers at GDATA Security Lab have identified a global cryptomining campaign leveraging XMRig to mine Monero cryptocurrency that emerged in April 2025. The campaign begins with the execution of batch script files via svchost.exe, followed by PowerShell commands that download and execute additional payloads. The attackers create scheduled tasks to disable Windows Defender and automatic update services before deploying the XMRig miner under random names to evade detection. They use LOLBAS techniques and hidden PowerShell windows to ensure persistence, leading to down system performance, increased energy consumption, and disruption of system maintenance. The malware has been observed in multiple countries, indicating targets systems worldwide.
Source: https://www.gdatasoftware.com/blog/2025/07/38228-monero-malware-xmrig-resurgence
2025-07-08
NightEagle_Exploits_Exchange_for_Espionage
MEDIUM
+
Intel Source:
RedDrip7
Intel Name:
NightEagle_Exploits_Exchange_for_Espionage
Date of Scan:
2025-07-08
Impact:
MEDIUM
Summary:
Researchers at RedDrip7 have disclosed that the APT group NightEagle exploited a previously unknown Microsoft Exchange deserialization vulnerability to achieve remote code execution on targeted Exchange servers. The group’s operations appear to be strategically motivated, with a focus on exfiltrating sensitive email data from high-tech Chinese organizations. To establish internal network access, NightEagle deployed a modified Chisel reverse tunnel disguised as a legitimate Synology update service. This was followed by memory-only injection of a custom .NET loader delivered through virtual URL web shells. The implant enabled sustained, covert remote email harvesting and command execution while avoiding disk-based detection mechanisms.
Source: https://github.com/RedDrip7/NightEagle_Disclose/blob/main/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf
2025-07-08
Tomcat_Partial_PUT_Camel_Header_Hijack
MEDIUM
+
Intel Source:
unit42
Intel Name:
Tomcat_Partial_PUT_Camel_Header_Hijack
Date of Scan:
2025-07-08
Impact:
MEDIUM
Summary:
During March 2025, Unit 42 observed a surge in attacks leveraging two critical Apache vulnerabilities. CVE-2025-24813 permits remote deserialization via Tomcat’s standard partial PUT mechanism, and CVE-2025-27636/29891 abuse Camel’s header processing to execute arbitrary commands. Exploitation attempts exceeded 7,800 across more than 70 countries, confirming a global automated campaign. Attackers identify targets via session name enumeration and Content-Range manipulation before delivering payloads that result in remote code execution.
Source: https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
2025-07-07
APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems
MEDIUM
+
Intel Source:
Cyfirma
Intel Name:
APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
Researchers from Cyfirma have uncovered a spear-phishing campaign conducted by APT36 also known as Transparent Tribe targeting Indian defense personnel leveraging BOSS Linux systems. The attackers send ZIP archives containing a malicious desktop shortcut file. When clicked, it downloads and displays a legitimate PowerPoint decoy while simultaneously retrieving and launching a GO-based ELF binary in the background. The ELF payload establishes a persistent C2 channel over a non-standard port, enabling data exfiltration and covert screenshot capture. It also gathers system information, enumerates storage drives, and uses obfuscated logging routines to evade detection.
Source: https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/
2025-07-07
Atera_RMM_Phishing_Campaign
MEDIUM
+
Intel Source:
KB4ThreatLabs
Intel Name:
Atera_RMM_Phishing_Campaign
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
Researchers from KnowBe4 ThreatLabs have identified a targeted phishing campaign exploiting Social Security statement updates to distribute a malicious MSI installer masquerading as the Atera Agent RMM. On July 3, 2025, threat actors leveraged compromised email accounts to send a lure offering a “30-day free trial,” thereby deploying the legitimate Atera RMM on Windows hosts. By abusing the platform’s living-off-the-land capabilities, adversaries establish persistent C2 channels that enable file transfers, interactive shell access and AI-assisted command execution via the RMM web console.
Source: https://x.com/Kb4Threatlabs/status/1940759187514183827
2025-07-07
Datacarry_Ransomware_Campaign
MEDIUM
+
Intel Source:
CCITIC
Intel Name:
Datacarry_Ransomware_Campaign
Date of Scan:
2025-07-07
Impact:
MEDIUM
Summary:
The Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC) have identified a targeted campaign by the Datacarry ransomware group, active since June 2024 and significantly intensifying in spring 2025. The group exploiting a critical vulnerability in Fortinet EMS (CVE-2023-48788) to gain initial access. Following exploitation, they use PowerShell to configure the environment for deploying a Go-based implant, which enables persistent command-and-control communication via the Chisel tunneling tool over WebSockets. The actors exfiltrate large volumes of data before deploying a Conti-variant ransomware payload.
Source: https://www.ccitic.org/assets/reports/CCITIC_Report_TLP-White_DATACARRY.pdf

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.