Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

four prong diagram about detection, data, and threat research and hunting
securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2025-07-22
NailaoLocker_Cheese_Ransomware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
NailaoLocker_Cheese_Ransomware
Date of Scan:
2025-07-22
Impact:
MEDIUM
Summary:
FortiGuard Labs have identified a high-severity variant of NailaoLocker ransomware dubbed “Cheese” targeting Microsoft Windows environments and encrypting nearly all accessible user files with AES-256-CBC and embedded SM2 cryptographic keys to extort victims for illicit financial gain. Delivered through a DLL sideloading chain involving a legitimate usysdiag.exe dropper and a malicious sensapi.dll loader, the malware leverages an IO completion port–based, multi-threaded architecture to traverse logical drives, encrypt data, and drop ransom notes without disrupting critical system paths.
Source: https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese
2025-07-22
SVF_DDoS_Botnet_via_SSH_Compromise
LOW
+
Intel Source:
ASEC
Intel Name:
SVF_DDoS_Botnet_via_SSH_Compromise
Date of Scan:
2025-07-22
Impact:
LOW
Summary:
Researchers at ASEC have observed threat actors exploiting weak SSH credentials on unmanaged Linux servers to deploy a Python-based DDoS framework dubbed SVF. In mid-July 2025, AhnLab Security Intelligence Center’s analysts discovered that SVF leverages automated dictionary attacks to seize SSH access, then installs a lightweight Python agent that connects to a Discord channel for command-and-control. The malware dynamically harvests and validates public HTTP proxies to orchestrate both Layer 7 HTTP floods and Layer 4 UDP amplification, rapidly scaling attack volume with minimal footprint.
Source: https://asec.ahnlab.com/en/89083/
2025-07-22
Active_ToolShell_SharePoint_Exploits
HIGH
+
Intel Source:
Unit42 and Sentinelone
Intel Name:
Active_ToolShell_SharePoint_Exploits
Date of Scan:
2025-07-22
Impact:
HIGH
Summary:
According to SentinelOne and Unit42’s analysis, multiple adversary clusters have targeted on-premises Microsoft SharePoint servers since mid-July 2025 by chaining legacy CVE-2025-49704/49706 flaws with the zero-day bypass CVE-2025-53770/53771, known as ToolShell. Initial hands-on exploitation deployed a password-protected ASPX webshell before advancing to the reconnaissance utility spinstallIO.aspx and ultimately a fileless .NET module that extracts MachineKey cryptographic secrets for credential forging and persistence. Attackers leveraged a logic flaw in SharePoint’s ToolPane.aspx Referer validation to achieve unauthenticated remote code execution, then executed in-memory PowerShell and .NET payloads to move laterally and maintain stealth. Victims included high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services, indicating strategic targeting of engineering and architecture assets.
Source: https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/ https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
2025-07-21
GLOBAL_GROUP_Ransomware
MEDIUM
+
Intel Source:
Picus Security
Intel Name:
GLOBAL_GROUP_Ransomware
Date of Scan:
2025-07-21
Impact:
MEDIUM
Summary:
Researchers at Picus Security have uncovered that GLOBAL GROUP is a rebranded evolution of the Mamona RIP and Black Lock ransomware families, now operating as a Ransomware-as-a-Service (RaaS) platform. This threat actor delivers Golang-compiled, cross-platform binaries that leverage ChaCha20-Poly1305 encryption to lock files and enforce a double-extortion model, threatening to publish stolen data if ransom demands are not met. The platform allows affiliates to customize key parameters, including file extensions (.lockbitloch), filename encryption, and optional destructive flags such as self-deletion, log erasure, and process termination—demonstrating operational maturity. Victims include corporate environments—one confirmed case involved RDP access to a U.S. law firm secured by an Initial Access Broker—indicating a focus on professional services networks. Impact potential is severe: encrypted business-critical data, reputational damage, multi-million-dollar ransom demands facilitated by an AI-driven Tor negotiation portal, and pervasive affiliate scaling. GLOBAL GROUP’s integration of automated negotiations, API-exposed SSH credentials, and modular payload generation underscores both sophistication and OPSEC liabilities.
Source: https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale
2025-07-21
Unauthenticated_SharePoint_RCE_Exploitation
HIGH
+
Intel Source:
Eye Security
Intel Name:
Unauthenticated_SharePoint_RCE_Exploitation
Date of Scan:
2025-07-21
Impact:
HIGH
Summary:
According to Eye Security, the ToolShell chain (CVE-2025-53770) enables unauthenticated remote code execution against on-premises SharePoint servers, resulting in stealthy deployment of a crypto-exfiltration payload called spinstall0.aspx . The exploit combines a SignOut.aspx referer bypass with a vulnerability in the ToolPane.aspx endpoint to drop a PowerShell-based ASPX web shell. The shell extracts the SharePoint MachineKey and ValidationKey, allowing attackers to craft signed __VIEWSTATE tokens via ysoserial for full RCE without credentials. Dozens of servers across multiple regions were compromised within hours, demonstrating the campaign’s scale and speed. Extraction of cryptographic keys undermines authentication, enabling forgery of subsequent payloads and domain-wide access. Successful exploitation threatens lateral movement, data theft, and persistent backdoor access. Microsoft has yet to issue a patch, making immediate detection and mitigation critical.
Source: https://research.eye.security/sharepoint-under-siege/
2025-07-20
macOS_ZuRu_Termius_Trojan
LOW
+
Intel Source:
Sentinelone
Intel Name:
macOS_ZuRu_Termius_Trojan
Date of Scan:
2025-07-20
Impact:
LOW
Summary:
According to SentinelOne’s analysis, a novel variant of the macOS.ZuRu backdoor has emerged through a trojanized version of the cross-platform SSH client Termius, delivering a modified Khepri C2 beacon that establishes persistent, stealthy access on macOS endpoints. First observed in May 2025, this campaign repackages legitimate Termius.app bundles with additional Mach-O binaries and a Khepri loader, leveraging LaunchDaemon persistence and deprecated AuthorizationExecuteWithPrivileges calls to escalate privileges. The modified beacon employs DNS-based communication on port 53 with decoy domains and an Alibaba Cloud C2, supporting file transfer, system reconnaissance, process control, and command execution.
Source: https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app/
2025-07-20
KongTuke_FileFix_Interlock_RAT_Variant
MEDIUM
+
Intel Source:
The DFIR Report
Intel Name:
KongTuke_FileFix_Interlock_RAT_Variant
Date of Scan:
2025-07-20
Impact:
MEDIUM
Summary:
Researchers at The DFIR Report have observed a new PHP-based variant of the Interlock RAT deployed via KongTuke FileFix web-injection campaigns since May 2025, with the PHP payload first identified in June 2025. The Interlock ransomware group compromises legitimate websites to inject a single-line HTML snippet that performs IP-filtered redirection and presents a deceptive CAPTCHA prompt to lure users into executing a PowerShell command which drops a PHP binary into the AppData\Roaming directory.
Source: https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/
2025-07-20
LAMEHUG_LLM_Reconnaissance_Tool
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
LAMEHUG_LLM_Reconnaissance_Tool
Date of Scan:
2025-07-20
Impact:
MEDIUM
Summary:
Researchers from CERT-UA have observed APT operators designated UAC-0001 deploy malicious email attachments on 10 July 2025 posing as official ministry correspondence to deliver a PyInstaller-compiled loader. That loader installs LAMEHUG, a Python-based framework leveraging the Qwen 2.5-Coder-32B LLM via a public API to generate and execute contextual reconnaissance commands. Subsequent iterations broadened its AI-driven exfiltration routines and extended search capabilities. Operators abused a compromised email account and legitimate cloud infrastructure to evade detection on Windows NT 10.0 x64 hosts. LAMEHUG harvests system inventories via native utilities (WMIC, systeminfo, ipconfig) and recursively locates, copies and stages Office and PDF documents for exfiltration.
Source: https://cert.gov.ua/article/6284730
2025-07-19
CL_STA_1020_Targeting_Government_Entities
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
CL_STA_1020_Targeting_Government_Entities
Date of Scan:
2025-07-19
Impact:
MEDIUM
Summary:
Researchers from Unit42 have discovered a cyber-espionage campaign, tracked as CL-STA-1020, targeting government organizations in Southeast Asia to collect sensitive information related to recent trade disputes. The attackers use a custom-made malware called HazyBeacon which is installed through DLL sideloading by disguising it as a legitimate Windows file and establishing persistence through a custom Windows service named msdnetsvc . The malware communicates with actor-controlled AWS Lambda URLs to make the network traffic appear normal by hiding it within standard HTTPS cloud operations to evade detection. Additionally, the threat actors download multiple payloads such as a file collector, 7-Zip archiver, and custom tools for uploading stolen files to Google Drive/Dropbox.
Source: https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/
2025-07-19
Red_Bull_Recruitment_Phishing_Campaign
LOW
+
Intel Source:
Evalian
Intel Name:
Red_Bull_Recruitment_Phishing_Campaign
Date of Scan:
2025-07-19
Impact:
LOW
Summary:
Evalian researchers have discovered a phishing campaign impersonating Red Bull recruitment team, targeting job seekers through spear phishing emails. These emails contain embedded links that redirect recipients to a fraudulent but legitimate looking job application site protected by a reCAPTCHA challenge to enhance legitimacy. Victims are then taken to a spoofed Facebook login page designed to harvest credentials which are subsequently transmitted to attacker-controlled server. This malicious infrastructure is hosted on low-trust VPS services under ASN 63023 and hidden behind newly registered domains. If victims reuse their Facebook credentials across other platforms, the stolen information could facilitate to account takeovers, unauthorized system access, and data exfiltration.
Source: https://evalian.co.uk/inside-a-red-bull-themed-recruitment-phishing-campaign/

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.