LATEST THREAT INTELLIGENCE.
Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2
Description: A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.
Created at: 2025-12-03T14:29:45.022000
Updated at: 2026-01-02T14:02:11.156000
DeedRAT: Unpacking a Modern Backdoor's Playbook
Description: DeedRAT is a sophisticated backdoor associated with the Chinese APT group Salt Typhoon, targeting critical sectors globally. It infiltrates systems through phishing campaigns, utilizing DLL sideloading to evade detection. The malware establishes persistence via registry run keys and service creation, ensuring long-term access. DeedRAT's capabilities include file manipulation, system reconnaissance, and payload execution. The infection chain involves three files: a legitimate executable, a malicious DLL, and an encrypted file. Once installed, it attempts to connect to its command-and-control server. Defensive measures include monitoring email traffic, registry changes, and anomalous service creations.
Created at: 2025-12-31T22:59:16.941000
Updated at: 2026-01-02T10:57:57.003000
Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025
Description: In 2025, there was a significant increase in rogue ScreenConnect installations, part of a broader trend of threat actors abusing remote monitoring and management tools (RMMs). These tools were used to gain access, blend in, move laterally, and maintain persistence in target systems. Attackers employed various social engineering tactics to trick employees into downloading malicious RMMs. Common lures included fake Social Security statements, invitations, and financial documents. The Huntress Security Operations Center identified recurring patterns in lures, domains, and file hashes associated with these attacks. Some campaigns showed signs of targeting specific industries, such as accounting firms. The article provides detailed examples of attack patterns, top malicious domains, and file hashes observed throughout the year.
Created at: 2025-12-31T18:03:07.902000
Updated at: 2026-01-02T10:47:02.268000
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Description: A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, including obfuscation through nested directories and execution via DLL sideloading. Once activated, ValleyRAT can lead to system control, activity monitoring, and data theft. The campaign's success is evident from a spike in ValleyRAT detections. It demonstrates the integration of social engineering, legitimate software abuse, and advanced malware techniques to exploit vulnerabilities in both systems and human psychology.
Created at: 2025-12-03T09:29:56.695000
Updated at: 2026-01-02T09:00:48.810000
Snakes by the riverbank
Description: ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Created at: 2025-12-02T14:44:59.788000
Updated at: 2026-01-01T14:00:27.562000
DNS Uncovers Infrastructure Used in SSO Attacks
Description: The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.
Created at: 2025-12-03T17:58:34.643000
Updated at: 2026-01-01T07:03:18.851000
EmEditor Homepage Download Button Served Malware for 4 Days
Description: Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.
Created at: 2025-12-30T16:57:33.593000
Updated at: 2025-12-30T17:08:48.843000
RondoDoX Botnet Weaponizes React2Shell
Description: A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.
Created at: 2025-12-29T19:53:02.379000
Updated at: 2025-12-29T21:25:40.343000
The HoneyMyte APT now protects malware with a kernel-mode rootkit
Description: In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.
Created at: 2025-12-29T13:22:26.696000
Updated at: 2025-12-29T13:50:47.832000
New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2
Description: Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.
Created at: 2025-11-28T08:31:24.854000
Updated at: 2025-12-28T08:01:08.411000
