LATEST THREAT INTELLIGENCE.
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
Description: A cluster of suspicious activity, tracked as CL-STA-1020, has been targeting governmental entities in Southeast Asia since late 2024. The threat actors have developed a new Windows backdoor called HazyBeacon, which uses AWS Lambda URLs for command and control communication. This technique leverages legitimate cloud functionality to create a covert, scalable, and hard-to-detect communication channel. The attackers' primary goal appears to be covert intelligence gathering, focusing on sensitive government data related to trade disputes. They also use Google Drive and Dropbox for data exfiltration, blending with normal network traffic. The attack involves DLL sideloading, persistence through a Windows service, and various payloads for file collection and exfiltration.
Created at: 2025-07-14T14:05:53.756000
Updated at: 2025-07-15T09:21:44.593000
KongTuke FileFix Leads to New Interlock RAT Variant
Description: A new and resilient variant of the Interlock ransomware group's remote access trojan (RAT) has been identified. This PHP-based malware, a shift from the previous JavaScript-based NodeSnake, is being used in a widespread campaign associated with the LandUpdate808 (KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a hidden script, employing IP filtering to serve the payload. The malware performs automated reconnaissance, establishes command and control through Cloudflare Tunnels, and has various execution capabilities. It uses PowerShell for system profiling and discovery, creates persistence through registry modifications, and leverages RDP for lateral movement. The campaign appears to be opportunistic, targeting multiple industries.
Created at: 2025-07-15T08:57:07.511000
Updated at: 2025-07-15T09:13:32.771000
Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors
Description: A sophisticated piece of malware was discovered embedded in a WordPress site's core files, specifically in wp-settings.php. The malware uses a ZIP archive to hide malicious code and perform search engine poisoning and unauthorized content injection. It employs dynamic Command and Control server selection, anti-bot mechanisms, and manipulates SEO-related files. The malware's main goals include manipulating search engine rankings, injecting spam content, and performing unauthorized redirects. It uses obfuscation techniques and ZIP archives for code inclusion, making it challenging to detect and remove. Prevention measures include keeping software updated, using reputable sources for themes and plugins, implementing strong credential security, utilizing a Web Application Firewall, and regularly scanning for malware.
Created at: 2025-07-14T13:50:30.800000
Updated at: 2025-07-14T13:50:47.554000
NordDragonScan: Quiet Data-Harvester on Windows
Description: A sophisticated infostealer dubbed NordDragonScan has been discovered, targeting Windows systems through weaponized HTA scripts. The malware is distributed via shortened links leading to RAR archives containing malicious LNK shortcuts. Once installed, NordDragonScan performs extensive reconnaissance, collecting system information, network details, browser data, and sensitive documents. It utilizes custom obfuscation techniques and establishes persistence through registry modifications. The stolen data is exfiltrated to a command-and-control server using TLS encryption. The attack employs various decoy documents to evade detection and maximize infection opportunities. NordDragonScan's capabilities include screenshot capture, Chrome and Firefox profile harvesting, and local network scanning.
Created at: 2025-07-14T13:44:54.020000
Updated at: 2025-07-14T13:46:16.434000
Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland
Description: A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a scheduled task for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.
Created at: 2025-07-14T11:55:54.846000
Updated at: 2025-07-14T13:43:55.377000
A Hybrid Approach with Data Exfiltration and Encryption
Description: The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and BlackSuit ransomware for file encryption. The group's tactics include lateral movement through RDP, SMB, and PsExec, credential dumping, and deletion of shadow copies. Notably, the ransomware uses a -nomutex flag, allowing multiple concurrent executions. The attack flow involves initial access, lateral movement, data exfiltration, partial encryption, and ransom demands ranging from $1 million to $10 million USD in Bitcoin. This hybrid approach highlights the evolving nature of ransomware threats and the need for robust security measures.
Created at: 2025-07-12T09:21:54.779000
Updated at: 2025-07-14T11:01:22.950000
New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks
Description: Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.
Created at: 2025-06-13T20:55:44.654000
Updated at: 2025-07-13T20:04:30.723000
Private Contractor Linked to Multiple Chinese State-Sponsored Groups
Description: A recent leak from I-SOON, a Chinese IT and cybersecurity company, has revealed connections to several state-sponsored cyber groups including RedAlpha, RedHotel, and Poison Carp. The leak exposes a sophisticated espionage network involving the theft of communications data for individual tracking. Analysis confirms operational and organizational ties between I-SOON and these groups, highlighting I-SOON's role as a digital quartermaster providing shared cyber capabilities in China's aggressive cyber ecosystem. Despite the leak, I-SOON is expected to continue operations with minor adjustments. The revelation enhances understanding of Chinese cyber espionage and may impact future US legal actions against I-SOON operatives.
Created at: 2025-06-13T19:49:19.039000
Updated at: 2025-07-13T19:01:19.848000
From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
Description: Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.
Created at: 2025-06-13T14:47:04.385000
Updated at: 2025-07-13T14:01:13.583000
What is the Real Relationship between WordPress Hackers and Malicious Adtech?
Description: An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several commercial TDSs were found to share software elements with VexTrio and benefit from its relationship with website malware actors. The investigation uncovered a complex network of adtech firms, including Partners House, BroPush, and RichAds, that use similar technologies and tactics to distribute malicious content. These firms have information about the identities of malware actors, which could potentially lead to their disruption.
Created at: 2025-06-13T07:59:41.899000
Updated at: 2025-07-13T07:02:26.133000
