Threat Research | Weekly Recap [08 June 2025]

hendryadrian.com

hendryadrian.com

Phishing & Social Engineering Campaigns

• Coordinated campaigns use phishing emails, fake CAPTCHA pages, and spoofed websites to deliver RATs and steal credentials across sectors including hospitality, finance, and government. Notable techniques include novel ClickFix social engineering and Telegram-exfiltrated multi-factor tokens. Unpacking ClickFix
• Campaigns targeting cryptocurrency users with phishing apps on Google Play stealing mnemonic phrases highlight risks of compromised developer accounts and embedded phishing URLs. Over 20 Crypto Phishing Applications Found
• Italian phishing campaigns exploiting PDF attachments and fake invoice notices continue to harvest webmail credentials, collected via Telegram channels. Ongoing Phishing Campaign for LiberoMail
• Sophisticated FakeCaptcha frameworks are deployed via infected streaming/file-sharing sites and compromised WordPress portals to trick victims into executing malicious PowerShell commands. HuluCaptcha CAPTCHA Deploys Malware
• The FlowerStorm Phishing-as-a-Service platform uses adversary-in-the-middle attacks to steal Microsoft 365 credentials and bypass MFA, with autonomous detection demonstrated by Darktrace. From Rockstar2FA to FlowerStorm
• Glitch-hosted phishing campaigns targeting Navy Federal Credit Union users exfiltrate OTPs and credentials via Telegram while employing fake CAPTCHAs. Glitch-hosted Phishing Uses Telegram & Fake CAPTCHAs
• Russian-speaking threat actors use typo-squatted domains mimicking Spectrum to deploy macOS infostealers with multi-platform social engineering via the AMOS campaign. AMOS Variant Distributed via ClickFix
• North Korean Lazarus Group’s newly identified malware targets crypto companies using phishing and advanced post-exploitation, with exposed operational security yielding valuable intelligence. Lazarus Targeting Crypto via Phishing

Malware and RAT Developments

• The DuplexSpy RAT offers stealthy Windows remote access with fileless execution and privilege escalation, released open-source but posing high exploitation risks. DuplexSpy RAT: Stealthy Windows Malware
• Chaos RAT, an open-source Golang RAT, continues evolving with new variants, including vulnerabilities enabling remote code execution and real-world use disguised as network troubleshooting tools. From Open-Source to Open Threat: Chaos RAT
• Blitz malware uses backdoored game cheats and abuses Hugging Face for C2, showing complex operator activity before apparent abandonment. Blitz Malware: Game Cheats & Code Repositories
• New stealer malware OtterCookie linked to Lazarus Group targets tech and crypto professionals, stealing browser credentials and macOS keychains via fake job offers. OtterCookie: Lazarus Group Malware Targeting Finance & Tech
• Multi-stage infostealers leveraging living-off-the-land techniques via mshta.exe deliver obfuscated payloads with XOR encoding and PowerShell evasion. MSHTALOL Bin Delivers Obfuscated Infostealer
• A sophisticated RAT without a PE header was analyzed via memory dumping, showing secure C2 communication, system manipulation, and screenshot capture abilities. Deep Dive into a Dumped Malware without a PE Header
• Infostealers continue to be a significant threat, comprising nearly 25% of detected incidents in 2024, targeting corporate, cloud, and identity assets, with marketplaces under law enforcement pressure. Infostealers Crash Course
• The 2025 variant of ViperSoftX enhances modular PowerShell-based malware to steal cryptocurrency wallets with multilayer persistence and encryption. In-depth Analysis of 2025 ViperSoftX Variant
• Malicious Ruby gems impersonating Fastlane plugins exfiltrate Telegram bot tokens after Vietnam’s ban on Telegram, illustrating supply chain attack risks within developer ecosystems. Malicious Ruby Gems Exfiltrate Telegram Tokens

Supply Chain & Repository Threats

• Over 100 backdoored GitHub repositories masquerading as malware and game cheats propagate RATs and infostealers, primarily infecting gamers and novice cybercriminals. The Strange Tale of ischhfd83
• PyPI packages posing as Instagram growth tools steal user credentials and broadcast them through botnets, controlled by a Netlify kill switch and phishing networks. PyPI Package Disguised as Instagram Growth Tool
• Destructive npm packages disguised as utilities contain backdoors capable of wiping production environments remotely, with covert communication channels involved. Destructive npm Packages Enable Remote System Wipe

Advanced Persistent Threat (APT) Activity

• Operation DRAGONCLONE targets Chinese telecom with VELETRIX and VShell malware using DLL sideloading, anti-sandbox, and IPfuscation, linked to UNC5174 and Earth Lamia groups. Operation DRAGONCLONE
• BladedFeline, an Iran-aligned APT subgroup of OilRig, targets Kurdish and Iraqi officials with advanced spyware including Whisper backdoor and PrimeCache modules for long-term espionage. BladedFeline: Whispering in the Dark
• Indian-linked TA397 group conducts long-running espionage on government and defense targets primarily in Europe and Asia using spearphishing and RATs during Indian Standard Time. The Bitter End: TA397 Espionage
• APT36 (Transparent Tribe) infrastructure investigation via DNS history and host data reveals unreported domains linked to espionage. Illuminating Transparent Tribe with Validin
• North Korean Kimsuky deploys SecurityMail.chm malware exploiting embedded PowerShell in CHM files to target virtual asset users and steal cryptocurrency investments. North Korean Hacking Group Kimsuky Malicious Code

Infrastructure & Cloud Threats

• The Mirai botnet exploits CVE-2024-3721 to infect TBK DVR devices, featuring RC4 encryption and anti-VM defenses; mitigations and infection stats are detailed. Mirai Targets DVR Devices with CVE-2024-3721
• Hazy Hawk hijacks dormant cloud assets via forgotten DNS dangling CNAME records to host scams and malware using complex traffic routing. Cloudy with a Chance of Hijacking Forgotten DNS Records
• DevOps infrastructure is targeted for cryptojacking by JINX-0132 exploiting Nomad, Consul, Docker, and Gitea server misconfigurations using the open-source XMRig miner. DevOps Tools Targeted for Cryptojacking
• Misconfigured AI-assisted coding tools are exploited to deliver AI-generated Python payloads installing cryptominers and infostealers on Linux and Windows, leveraging evasion techniques and Discord webhooks. Attacker Exploits Misconfigured AI Tool

Security Risks in Software Development & Extensions

• Risks of hardcoded credentials in Chrome extensions put users and services at risk, urging backend key storage, rotation, and monitoring to prevent losses. Security Flaws in Chrome Extensions
• Browser extensions were found to leak telemetry data over unencrypted HTTP channels, risking exposure of user data despite no direct password leaks. Unmasking Insecure HTTP Data Leaks in Chrome Extensions
• LLM-assisted programming tools introduce security risks via insecure code generation; applying security-focused rules files helps mitigate these issues. Rules Files for Safer Vibe Coding

Emerging Tools & Techniques

• RayV Lite is an open-source, low-cost IR laser fault injection platform enabling transistor-level hardware attacks and silicon visualization, lowering advanced hardware research barriers. Pew Pew, Precisely: RayV Lite

Threat Research | Weekly Recap – hendryadrian.com