Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-07-15
A_Hybrid_Approach_of_BlackSuit_Ransomware
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
A_Hybrid_Approach_of_BlackSuit_Ransomware
Date of Scan:
2025-07-15
Impact:
MEDIUM
Summary:
Researchers from Cybereason have uncovered a ransomware group known as BlackSuit that emerged in mid-2023 and is believed to be a successor to the Royal ransomware group. The group operates organized, multi-stage attacks involving both data exfiltration and file encryption. The attackers leverage Cobalt Strike Beacon for C2, deploy payload through PowerShell commands and disguising legitimate tools like rclone.exe to evade detection. They move laterally across the network using tools like PsExec, RPC, and RDP, even adding fake administrator accounts to gain wider access. The attackers also steal credentials from LSASS for privilege escalation and exfiltrates 6around 60 GB of sensitive data to cloud-based servers and demand ransom between $1 million and $10 million in Bitcoin.
Source: https://www.cybereason.com/blog/blacksuit-data-exfil
2025-07-12
Defendnot_A_Silent_Windows_Defender_Disabler
MEDIUM
+
Intel Source:
Stairwell
Intel Name:
Defendnot_A_Silent_Windows_Defender_Disabler
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Stairwell researchers have highlighted a new tool called defendnot, developed by user named es3n1n, which is designed to quietly disable Microsoft Defender. This tool leverages a sneaky technique by registering itself as another antivirus program through Windows Security Center (WSC) API, causing Defender to voluntarily disable itself. Although defendnot was initially released for red teaming, its design makes it useful for cybercriminals or nation-state actors. If attackers use this tool after compromising a system, they can run malware without being detected.
Source: https://stairwell.com/resources/detecting-defendnot-a-tool-for-silently-disabling-windows-defender/
2025-07-12
SLOW_TEMPEST_Malware_Obfuscation
MEDIUM
+
Intel Source:
unit42
Intel Name:
SLOW_TEMPEST_Malware_Obfuscation
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
According to Unit 42’s analysis, SLOW#TEMPEST employs advanced control-flow obfuscation and dynamic jump dispatchers within a loader DLL to impede static reverse-engineering. The actor delivers an ISO-based dropper that uses the Windows API GlobalMemoryStatusEx to verify system memory exceeds six gigabytes before unpacking the payload, an anti-sandbox measure. First documented in July 2025, this campaign targets Windows environments where indirect function calls and obfuscated API invocations thwart signature and static analysis.
Source: https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/
2025-07-12
Lumma_Stealer_Deploys_Follow_up_Malware
LOW
+
Intel Source:
Malware Traffic
Intel Name:
Lumma_Stealer_Deploys_Follow_up_Malware
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers from Malware-Traffic have identified a malware campaign distributing Lumma Stealer, which subsequently deploys a persistent backdoor. The initial infection vector is social engineering, luring victims with cracked "Turnitin" software promoted on a Facebook page as of June 26, 2025. The user downloads a password-protected archive containing a Nullsoft installer. Upon execution, the installer uses an obfuscated batch script and a legitimate AutoIt interpreter to run the Lumma Stealer payload, which exfiltrates data from the compromised Windows system. The stealer then downloads a secondary loader, which retrieves a penetration testing tool from GitHub and establishes persistence via a shortcut in the Windows Startup folder.
Source: https://www.malware-traffic-analysis.net/2025/06/26/index.html
2025-07-12
Exploitation_Wing_FTP_Serve_Vulnerability
MEDIUM
+
Intel Source:
Huntress
Intel Name:
Exploitation_Wing_FTP_Serve_Vulnerability
Date of Scan:
2025-07-12
Impact:
MEDIUM
Summary:
Researchers from Huntress discovered that attackers were actively exploiting a vulnerability (CVE-2025-47812) in Wing FTP Server versions prior to 7.4.4. This flaw allows attackers to execute remote code on the system with full privileges. The attackers sent crafted requests to the server’s login page, injecting malicious Lua scripts that enabled them to run system commands like cmd.exe and certutil. Once inside, the attackers run basic reconnaissance commands such as ipconfig, whoami, created two backdoor user accounts named wingftp and wing and tried to install a remote access tool (ScreenConnect) along with a second-stage malware payload. However, this activity was flagged and blocked by Microsoft Defender as Trojan named Ceprol.
Source: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
2025-07-12
Unauthorized_Proxy_Deployment_on_Linux_SSH
LOW
+
Intel Source:
ASEC
Intel Name:
Unauthorized_Proxy_Deployment_on_Linux_SSH
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at ASEC have identified a campaign in which attackers target Linux systems with weak SSH passwords. The attackers gain initial access through brute-force or dictionary attacks and then execute Bash scripts to install proxy software such as TinyProxy or Sing-box. In the TinyProxy, they modify the configuration to allow unrestricted internet access and ensure the proxy starts automatically with the system. The Sing-box involves downloading and executing a one-click installation script from a public GitHub repository, enabling support for multiple proxy protocols including vmess-argo and TUICv5. These proxies can be leveraged to conceal further malicious activity or sold for illicit use.
Source: https://asec.ahnlab.com/ko/88669/
2025-07-12
Rhadamanthys_Infostealer_ClickFix_CAPTCHA_Delivery
LOW
+
Intel Source:
Dark Atlas
Intel Name:
Rhadamanthys_Infostealer_ClickFix_CAPTCHA_Delivery
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at Darkatlas have identified the Rhadamanthys infostealer campaign using a typosquatted ClickFix CAPTCHA domain to deliver a stealthy PowerShell launcher that executes in memory and retrieves a malicious MSI package, enabling a fileless dropper flow. That dropper fetches and executes PTRFHDGS.msi via msiexec.exe, masquerading as legitimate software and displaying a fake “Verification complete!” prompt to deceive users. The malware employs multiple anti-analysis checks—including virtualization and debugger detection, as well as time-based side-channel evasion—to hinder sandbox and manual analysis. Once active, Rhadamanthys’ modular architecture harvests a broad range of sensitive data—system identifiers, browser credentials, cryptocurrency wallets, screenshots, and application configurations—from Windows hosts.
Source: https://darkatlas.io/blog/clickfix-chaos-a-deep-dive-into-rhadamanthys-infostealers-stealth-and-steal-tactics
2025-07-12
Fake_CAPTCHA_Social_Engineering
LOW
+
Intel Source:
Linkedin
Intel Name:
Fake_CAPTCHA_Social_Engineering
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Shaquib Izhar’s analysis on LinkedIn revealed an emerging social engineering campaign that ensnares victims with a counterfeit CAPTCHA page mimicking a common web security check. Upon clicking “Verify,” the page silently copies PowerShell code to the clipboard and prompts users to launch the Windows Run dialog, where it registers a webhook to monitor execution. The payload chain then delivers a secondary PowerShell loader and a batch script designed to detect and bypass virtualized environments before unleashing additional malware on standard Windows systems.
Source: https://www.linkedin.com/posts/shaquib-izhar_a-very-cool-fake-captcha-social-engineering-activity-7346678407419613184-B0-Y/?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAABO-jCkB1he5ufTfbYYMNKmaojg8M31OVpM
2025-07-12
Malicious_Inno_Setup_Loader_Deploys_RedLine_Stealer
LOW
+
Intel Source:
Splunk
Intel Name:
Malicious_Inno_Setup_Loader_Deploys_RedLine_Stealer
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Splunk researchers uncovered a new malware campaign that uses a fake software installer created with Inno Setup. This installer includes a Pascal script designed to detect and evade debugger and sandbox environments before retrieving and decrypting a multi-stage payload . The installer connects to a TinyURL link that redirects to a file-hosting site (rentry.org), where it downloads a password-protected ZIP file. Once extracted, the malware runs a loader that decrypts and executes a malicious DLL file which then loads a secondary payload known as HijackLoader. It also creates a hidden scheduled task called lang that runs a disguised program every time the system restarts. In the final stage, the attack drops RedLine Stealer which collects saved passwords, cookies, form-fill data, and crypto wallet keys from various browsers and extensions.
Source: https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
2025-07-12
Prompt_Injection_Malware
LOW
+
Intel Source:
Checkpoint
Intel Name:
Prompt_Injection_Malware
Date of Scan:
2025-07-12
Impact:
LOW
Summary:
Researchers at Check Point have discovered a new malware called Skynet that was anonymously uploaded from the Netherlands. Although the malware is still in an early stage and not fully functional. The malware tries to trick AI-based security systems by including hidden prompt injection that instruct the AI to ignore its usual rules and incorrectly label the malware as safe. The malware also tries to evade detection using sandbox evasion, gathers basic system information and sets up a secure connection using the TOR network.
Source: https://research.checkpoint.com/2025/ai-evasion-prompt-injection/

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.