LATEST THREAT INTELLIGENCE.
Operation MoneyMount, ISO Deploying Phantom Stealer
Description: A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis techniques, extracts crypto wallets, browser data, and Discord tokens. It also includes keylogging and clipboard monitoring capabilities. The stolen data is exfiltrated via Telegram, Discord webhooks, or FTP. The operation showcases the increasing sophistication of commodity stealers and the strategic use of ISO files for initial access to evade security controls.
Created at: 2025-12-12T08:45:04.559000
Updated at: 2025-12-12T12:55:38.532000
Technical Analysis of the BlackForce Phishing Kit
Description: The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, including a blocklist for security vendors and web crawlers. The kit features a dual-channel communication architecture, separating the phishing server from a Telegram drop. Its attack chain includes user validation, credential capture, and real-time alerts to attackers. BlackForce employs anti-analysis filters, stateful attack models, and a command-and-control panel for managing phishing sessions. The rapid versioning indicates active development and adaptation to improve resilience and evade detection.
Created at: 2025-12-12T08:45:06.163000
Updated at: 2025-12-12T12:53:38.218000
RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft
Description: A sophisticated mobile fraud operation has been uncovered, distributing a malicious 'RTO Challan / e-Challan' Android application via WhatsApp. The APK uses advanced obfuscation and hidden installation techniques to establish persistent control over victims' devices. It creates a custom VPN tunnel to mask network activity and harvests extensive personal, device, and financial information. The malware intercepts OTPs, manipulates call behavior, and presents a fraudulent payment interface to steal banking credentials. Analysis of the C2 infrastructure revealed obfuscated Base64-encoded URLs pointing to malicious domains. The campaign combines mobile malware, financial fraud, and social engineering, posing a high-risk threat capable of severe monetary losses and large-scale exposure of sensitive personal data.
Created at: 2025-12-12T10:09:15.203000
Updated at: 2025-12-12T12:52:40.011000
React2Shell flaw (CVE-2025-55182) exploited for remote code execution
Description: A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploitation activities include deploying Linux loaders, establishing persistence, installing obfuscated JavaScript, and using cloud infrastructure for command and control. Both Chinese and North Korean state-sponsored groups are suspected to be involved in the attacks. The vulnerability's exploitation is expected to expand to opportunistic cybercriminals. Organizations are advised to prioritize patching the affected React infrastructure.
Created at: 2025-12-12T10:09:14.608000
Updated at: 2025-12-12T12:51:36.556000
Analyzing the Link Between Two Evolving Brazilian Banking Trojans
Description: This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.
Created at: 2025-11-12T09:45:13.946000
Updated at: 2025-12-12T09:00:40.482000
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
Description: A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, involving hardcoded cryptographic keys in their AES implementation. This flaw allows potential access to the web.config file, enabling deserialization and remote code execution. Attackers are actively targeting this vulnerability across various organizations. The issue stems from static encryption keys derived from unchanging Chinese and Japanese text strings, allowing for decryption and creation of access tickets. Exploitation attempts have been observed across multiple sectors, with attackers using the vulnerability to obtain machine keys and perform viewstate deserialization attacks. Immediate updates to the latest version and machine key rotation are recommended for mitigation.
Created at: 2025-12-11T18:25:34.482000
Updated at: 2025-12-12T07:42:48.758000
It didn’t take long: CVE-2025-55182 is now under active exploitation
Description: A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.
Created at: 2025-12-11T15:16:52.116000
Updated at: 2025-12-11T15:19:56.834000
GOLD SALEM tradecraft for deploying Warlock ransomware
Description: This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used Warlock, LockBit, and Babuk ransomware variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.
Created at: 2025-12-11T12:06:23.352000
Updated at: 2025-12-11T15:12:50.068000
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
Description: The report details a long-running espionage campaign by Ashen Lepus, a Hamas-affiliated threat group, targeting governmental and diplomatic entities in the Middle East. The group has developed a new malware suite called AshTag, which includes enhanced custom payload encryption, infrastructure obfuscation, and in-memory execution. Ashen Lepus has expanded its targeting beyond traditional geographic boundaries, now including entities in Oman and Morocco. The AshTag malware suite employs a multi-stage infection chain, utilizing decoy PDFs and RAR archives to deliver its payloads. The group has also updated its C2 architecture to evade detection and blend with legitimate traffic.
Created at: 2025-12-11T12:06:23.934000
Updated at: 2025-12-11T15:09:28.204000
VS Code extensions contain trojan-laden fake image
Description: A malicious campaign involving 19 Visual Studio Code extensions has been uncovered, hiding malware in dependency folders. Active since February 2025, the campaign abuses a legitimate npm package to avoid detection and crafts an archive containing malicious binaries disguised as a PNG image. The attackers modified the popular 'path-is-absolute' package, adding malicious files that are only present when installed through the compromised extensions. The malware is activated when VS Code starts, decoding a JavaScript dropper and executing two malicious binaries using a living-off-the-land binary. This sophisticated attack demonstrates the evolving techniques of threat actors, targeting the VS Code Marketplace and exploiting trusted components to evade detection.
Created at: 2025-12-11T12:06:21.710000
Updated at: 2025-12-11T14:54:02.949000
