Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Google Threat Intelligence

Intel Name:: SonicWall_SMA_Exploitation_via_OVERSTEP

Date of Scan:: 2025-07-18

Impact:: HIGH

Summary:: Google Threat Intelligence Group have observed financially motivated activity by the threat actor UNC6148 targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. These campaigns exploit known vulnerabilities in unpatched or outdated devices to gain initial access. UNC6148 leveraged these vulnerabilities to obtain administrator credentials and one-time password (OTP) seed values—effectively bypassing multi-factor authentication (MFA). Once inside, they deployed OVERSTEP, a previously undocumented user-mode rootkit and backdoor. OVERSTEP achieves persistence through multiple techniques: injecting a malicious shared object via /etc/ld.so.preload and modifying the system’s INITRD image, allowing the malware to survive reboots. The rootkit covertly hijacks file API functions to hide its presence, establishes reverse shells using bash, and exfiltrates sensitive data—including SQLite databases and certificate files—through web-accessible directories. The primary targets are organizations with externally exposed SMA appliances running outdated firmware. The compromise facilitates credential theft, undermines authentication mechanisms, enables extortion, and may lay the groundwork for future ransomware attacks.

Source: https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor

Intel Source:: Ontinue

Intel Name:: SVG_Smuggling_via_JavaScript_Redirects

Date of Scan:: 2025-07-18

Impact:: LOW

Summary:: Researchers at Ontinue have identified a threat campaign where attackers embed obfuscated JavaScript in SVG image files to perform browser-based redirects to attacker-controlled infrastructure for victim tracking and correlation. Delivered via spearphishing emails—either as attachments or hosted image links—the campaign exploits misconfigured SPF, DKIM, and DMARC settings to spoof trusted senders. The embedded JavaScript decrypts a secondary payload using a static XOR key, reconstructs a malicious URL with atob(), and redirects the victim using window.location.href. Later campaign stages add geofencing to selectively target users. By abusing the benign SVG format and requiring no downloads or macros, the method bypasses traditional defenses. Victims include B2B service providers in finance, utilities, HR, and SaaS sectors.

Source: https://www.ontinue.com/resource/blog-svg-smuggling/

Intel Source:: Securelist

Intel Name:: GhostContainer_Targets_MS_Exchange_Servers_in_Asia

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: Researchers at Securelist have uncovered a new backdoor, dubbed GhostContainer, targeting Microsoft Exchange servers belonging to high-value organizations in Asia, including a government agency and a high-tech enterprise. The threat actors likely exploited a known N-day vulnerability in Exchange—suspected to be CVE-2020-0688—to gain initial access. After exploitation, they deployed a malicious ASP.NET assembly named App_Web_Container_1.dll onto the compromised servers. GhostContainer employs several advanced evasion techniques. It disables Windows Event Logging and patches the Antimalware Scan Interface (AMSI) to avoid detection. It also derives an AES encryption key from the Exchange server’s ASP.NET machine validation key, using it to decrypt commands embedded as Base64 strings in the x-owa-urlpostdata HTTP header. The malware’s Stub class is capable of executing shellcode, running system commands, performing file operations, and dynamically loading additional .NET modules. Additionally, GhostContainer includes a virtual page injector and web proxy module that support HTTP-based tunneling for command-and-control and data exfiltration.

Source: https://securelist.com/ghostcontainer/116953/

Intel Source:: Trustwave

Intel Name:: KAWA4096_Ransomware_Surge

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: According to Trustwave SpiderLabs’ analysis, KAWA4096 emerged in June 2025 as a new ransomware strain blending code elements from the Akira family with a bespoke leak-site design. The group has claimed at least 11 victims, primarily in the United States and Japan. This Windows-targeting malware loads its configuration via the LoadResource API, spawns multiple threads synchronized by semaphores to encrypt local and network drives, and terminates backup, database and SAP services via SCM and WMI commands to maximize disruption. It also deletes shadow copies and can self-delete post-encryption, reflecting advanced evasion techniques.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ransomware-tide-rising-threat-with-borrowed-styles/

Intel Source:: Seqrite

Intel Name:: UNG0002_South_Asian_Espionage_Campaign

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: Seqrite Labs researchers have identified a sophisticated and persistent threat actor, UNG0002, has been conducting espionage-oriented operations targeting multiple Asian jurisdictions since at least May 2024. Believed to originate from South-East Asia, the group's campaigns, "Operation Cobalt Whisper" and "Operation AmberMist," leverage multi-stage attacks beginning with CV-themed phishing lures to gain initial access. The actor employs a versatile toolset including custom remote access trojans (RATs) like Shadow RAT and INET RAT, alongside techniques such as DLL sideloading and a social engineering method dubbed "ClickFix" that uses fake CAPTCHA pages to execute malicious scripts. UNG0002's primary motivation is intelligence gathering, with a strategic focus on the defense, technology, aviation, and academic sectors. The group demonstrates high adaptability by mimicking the TTPs of other threat actors to complicate attribution and is continuously evolving its malware, indicating that future campaigns will likely feature refined tools and expanded targeting.

Source: https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/

Intel Source:: ASEC

Intel Name:: Indonesian_Data_Leak_and_Jordan_Bank_Ransomware

Date of Scan:: 2025-07-17

Impact:: LOW

Summary:: Researchers at ASEC have discovered two coordinated data compromise and ransomware incidents. In November 2022, actor wonder exploited misconfigured APIs on a major Indonesian fintech platform to harvest authentication tokens and personal details for 44 million customers, later offering the data on LeakBase and BreachForums. Shortly thereafter, the Everest group infiltrated Jordan Bank in Jordan, exfiltrating over 11 GB of internal records before deploying encryption malware and issuing double-extortion demands.

Source: https://asec.ahnlab.com/en/88936/

Intel Source:: BI.ZONE

Intel Name:: Rainbow_Hyena_Phishing_Alert

Date of Scan:: 2025-07-17

Impact:: HIGH

Summary:: Researchers at BI.ZONE have identified that Rainbow Hyena launched a late-June phishing campaign targeting Russian healthcare and IT organizations, delivering ZIP-based polyglot attachments that conceal a decoy document and an LNK dropper to deploy the custom PhantomRemote backdoor. The operation used compromised sender addresses and recognizable branding to evade email filters and trick recipients into executing the payload. PhantomRemote launches via rundll32.exe and cmd.exe, harvests system identifiers (GUID, computer name, domain), and establishes HTTP-based C2 channels to download additional executables and exfiltrate command results. It creates persistent directories under %PROGRAMDATA% (YandexCloud or MicrosoftAppStore) for payload staging. Hidden PowerShell execution, binary obfuscation through polyglot files, and direct IP-based C2 demonstrate advanced evasion and access capabilities.

Source: https://bi.zone/eng/expertise/blog/rainbow-hyena-snova-atakuet-novyy-bekdor-i-smena-taktik/

Intel Source:: Polyswarm

Intel Name:: NimDoor_macOS_Cryptocurrency_Stealer

Date of Scan:: 2025-07-17

Impact:: LOW

Summary:: Researchers from The Hivemind have observed a sophisticated macOS malware campaign deployed by the North Korea–linked threat actor group Stardust Chollima against Web3 and cryptocurrency organizations. First detected in April 2025, NimDoor leverages social engineering via Telegram to trick victims into installing a fake “Zoom SDK update” AppleScript, which then launches a multi-stage payload comprising Nim-compiled binaries, C++ Mach-O loaders and encrypted WebSocket C2 channels. A novel SIGTERM/SIGINT-based persistence mechanism, backed by a LaunchAgent fallback, ensures reinfection if the process is terminated or upon reboot.

Source: https://blog.polyswarm.io/nimdoor-macos-malware

Intel Source:: Dmpdump

Intel Name:: Belarus_Linked_CHM_Downloader_Targeting_Poland

Date of Scan:: 2025-07-17

Impact:: MEDIUM

Summary:: Researchers from dmpdump have observed a malicious HTML Help file exploiting Windows HTML Help to deploy a multi-stage downloader. Delivered as a fake bank transfer notification on June 30, 2025, the CHM triggers obfuscated script that leverages an ActiveX control to extract a staged loader from a CAB container. That loader uses XOR-based decryption and native HTTP APIs to fetch a concealed payload embedded in an image hosted on a remote server, then decrypts and executes it. The final payload establishes persistence by registering a scheduled task via COM. UNC1151 (FrostyNeighbor), a Belarus-linked actor, likely aims to maintain stealthy long-term access. The campaign’s living-off-the-land techniques and banking-themed lure illustrate advanced evasion.

Source: https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland/

Intel Source:: Google Threat Intelligence

Intel Name:: Multi_Stage_Phishing_via_Reservation_Portals

Date of Scan:: 2025-07-16

Impact:: MEDIUM

Summary:: Researchers at Google Threat Intelligence have uncovered a large-scale phishing operation exploiting legitimate reservation messaging channels to harvest payment credentials and personal data. The campaign employed a multi-stage infrastructure, with Tier 1 redirectors registered to domains mimicking genuine hotel confirmations and Tier 2 hosts serving fraudulent booking sites. Activity accelerated from January 2025, peaking in May and June, and was observed through both in-app chat threads and authentic-looking emails. Actors leveraged automated domain registration and meta-tag analysis to expand their infrastructure, then delivered victims a malicious archive containing logs of stolen guest booking details.

Source: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-GTI-II-Analyzing-a-massive/ba-p/923129?linkId=15662116

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page