Threat Research | Weekly Recap [22 Jun 2025]

hendryadrian.com

hendryadrian.com

Remote Access Trojans (RATs) & Malware Campaigns

• Androxgh0st Botnet Expansion: Increased exploitation vectors targeting IoT, platforms, and US university servers hosting C2 loggers with cryptomining payloads. Androxgh0st Continues Exploitation
• AsyncRAT Phishing Campaigns: Persistent phishing using cloud services and ClickFix technique delivers AsyncRAT variants for credential theft and ransomware in multiple regions. AsyncRAT Campaign Continues / Fileless AsyncRAT via ClickFix
• ChaosRAT Targets Windows & Linux: New variants use phishing PDFs with obfuscation for data theft, cryptomining, and persistence across platforms. ChaosRAT New Variants
• SpyMax Android RAT: Fake Indian mobile “Wedding Invitation” app steals banking data, intercepts OTPs via WhatsApp-distributed APK. SpyMax Targets Indian Users
• Modified XWORM RAT by Chinese Actor: Trojanized MSI installer posing as WhatsApp, uses Donut shellcode and Telegram checks, C2 in East/Southeast Asia. Modified XWORM Distribution
• KimJongRAT Stealer Variants: New PE and PowerShell versions use Windows LNK files for infection targeting browser and crypto-wallet data. KimJongRAT New Variants
• Famous Chollima’s Python RAT: Python-based PylangGhost RAT targets crypto/blockchain sectors via fake job interviews, complementary to GolangGhost. Famous Chollima Python RAT

Phishing, Social Engineering & Initial Access

• LabHost Phishing-as-a-Service Infrastructure: FBI uncovers 42,000+ indicators including typosquatting domains supporting largescale phishing campaigns. LabHost PhaaS DNS Deep Dive
• Immunity Evasion with Long-Lived Domains: Advanced phishing uses long-lived domains and custom CAPTCHAs to evade detection and steal Microsoft credentials. Immunity Evasion in Phishing
• TxTag Phishing Scam: Campaign exploiting fake toll payment scenarios via GovDelivery to steal personal and credit card info. TxTag Phishing Email Schemes
• ClickFix Social Engineering Attack Chain: Exploits SAP NetWeaver CVE-2025-31324 via CAPTCHA-style phishing delivering loaders & infostealers such as GHOSTPULSE. ClickFix SAP Exploitation / ClickFix Attack Chain & Info Stealers
• Amatera Stealer & ClearFake Campaign: Rebranded ACR Stealer distributed through sophisticated ClickFix-based web inject campaigns targeting wallets and messaging apps. Amatera Stealer Advanced Campaign
• Kimsuky Group Phishing with Malicious HWP Docs: Uses paper review-themed phishing delivering password-protected payloads and persistence via AnyDesk manipulation. Kimsuky Malicious Research Papers

WordPress & Web-Based Threats

• Malicious WordPress Plugins: php-ini.php creates hidden admin backdoors activated via URL; wordpress-player.php silently redirects victims with WebSocket C2 control. Malicious WordPress Plugin Backdoor / WordPress Covert Redirector Analysis
• Protestware in npm Packages: Two UI toolkits embedded with protestware disabling UI and playing Ukrainian anthem on Russian-language sites, now removed. Protestware on npm Targeting Russia

Ransomware and Botnets

• BERT Ransomware Targets Multi-OS: Uses phishing, PowerShell scripts, and leaks data on dark web; controlled from Russian infrastructure. BERT Ransomware Campaign
• Prometei Botnet Resurgence: New Linux variants use UPX packing and custom configs focusing on cryptomining and credential theft with DGA and self-updating. Prometei Botnet 2025 Update
• Ransomware Gang Collapse & Qilin Rise: Established ransomware groups weaken while Qilin emerges with advanced cross-platform malware and innovative RaaS model. Ransomware Landscape 2025
• SimpleHelp RMM Vulnerability Exploited: Multiple ransomware actors abuse unpatched SimpleHelp to compromise utility billing software providers. SimpleHelp RMM Exploitation

Nation-State and Geopolitical Cyber Threats

• Iran-Israel Cyber Standoff: Pro-Iranian hacktivists waged large-scale DDoS and defacements; sophisticated espionage by Iran-aligned groups employs spear-phishing and DNS tunneling targeting regional adversaries. Iran-Israel Cyber Hacktivist Front / Iran-Israel Silent Cyber War
• BlueNoroff DPRK Threat Activity: North Korean APT uses Zoom extension phishing lures and extensive infrastructure pivoting targeting Web3 organizations. BlueNoroff Infrastructure Analysis
• Famous Chollima’s Targeted RATs: DPRK-linked actor uses Python and Golang RATs for cryptocurrency sector espionage via fake recruitment sites. Famous Chollima RATs
• Threats to NATO 2025 Summit: Russian and Chinese cyber-espionage, hybrid warfare, and disinformation campaigns threaten NATO countries, especially Eastern Europe. 2025 NATO Summit Threats
• Artificial Intelligence in PLA Military Intelligence: PLA invests in generative AI and LLMs for military analysis while managing risks from misinformation and ideological bias. PLA’s Use of Generative AI

Vulnerability Exploitation & Advanced Intrusions

• SAP NetWeaver CVE-2025-31324 Exploitation: Critical RCE vulnerability exploited by Chinese APTs and ransomware gangs via arbitrary file uploads; early detection by Darktrace noted. Tracking SAP NetWeaver Exploit
• ClickFix Exploit Linked to Multiple Threats: Vulnerability exploited for unauthorized RCE, delivering loaders KrustyLoader and JuicyPotato amid high-profile threat actor activity. ClickFix Vulnerability Attacks
• MySQL Server Targeting for RAT Deployment: Continuous attacks exploit weak MySQL configurations using Gh0stRAT variants and remote control tools like Zoho ManageEngine. MySQL RAT Attacks
• Malicious Excel File Delivering FormBook Payload: Phishing abusing CVE-2017-0199 delivers FormBook malware, enabling device control and data theft. FormBook via Malicious Excel
• Microsoft Exchange Credential Harvesting: Keyloggers implanted on Exchange login pages steal credentials from government organizations across 26 countries. Exchange Login Keylogger Attacks
• XDSpy Cyber-Espionage Campaign: Latest evolution exploits Windows LNK vulnerability to target Eastern European and Russian government entities using XDigo malware. XDSpy Campaign Analysis
• TaxOff and Team46 Exploit Chrome Zero-Day: Same threat actor group deploys Trinper backdoor via phishing against targeted organizations using CVE-2025-2783. TaxOff & Team46 Chrome Zero-Day

Malware Distribution & Ecosystem Vulnerabilities

• Stargazers Ghost Network Targets Gamers: Multi-stage malware infects Minecraft users through fake mods on GitHub, stealing credentials via Java loaders and .NET stealers. Minecraft Mod Malware
• Insecure GitHub Actions Workflows: Critical vulnerabilities in popular open-source CI workflows allow secret exfiltration and privilege escalation, patched after disclosure. Insecure GitHub Actions Discovered

AI-Powered Threats

• WormGPT AI-Powered Malware Generators: Advanced AI variants powered by Grok and Mixtral circumvent safety controls to create phishing and malicious code efficiently. WormGPT AI Malicious Variants
• “Living off AI” Atlassian MCP Attack: Novel prompt injection via Jira Service Management allows unauthorized access exploiting AI integrations in enterprise tools. Atlassian MCP AI Attack

Infostealers & Data Exfiltration

• Rhadamanthys Infostealer Campaign in Korea: Malware disguised as copyright documents uses DLL side-loading and evasion to steal email, banking, and FTP credentials. Rhadamanthys Infostealer Korea

Additional Noteworthy Threats

• Shadow Vector Campaign in Colombia: Legal-themed spear-phishing with SVG decoys delivering AsyncRAT, RemcosRAT, and driver-based privilege escalation. Shadow Vector Malware Campaign
• SadFuture XDSpy Malware Evolution: Uses XDigo malware exploiting Windows LNK flaw to target Eastern Europe and Russia, part of espionage activities. SadFuture XDSpy Update
• New Insight into MySQL Server Attacks: Gh0stRAT and others exploit vulnerable MySQL servers deploying RATs with UDF and legitimate admin tools. MySQL Server RAT Attacks
• May 2025 Ransomware Trends: Decline in new ransomware samples but ongoing impact worldwide including Korea; data from AhnLab and darknet leak monitoring. May 2025 Ransomware Trend Report

Remote Access Trojans (RATs) & Malware Campaigns

• Androxgh0st Botnet Expansion: Increased exploitation vectors targeting IoT, platforms, and US university servers hosting C2 loggers with cryptomining payloads. Androxgh0st Continues Exploitation
• AsyncRAT Phishing Campaigns: Persistent phishing using cloud services and ClickFix technique delivers AsyncRAT variants for credential theft and ransomware in multiple regions. AsyncRAT Campaign Continues / Fileless AsyncRAT via ClickFix
• ChaosRAT Targets Windows & Linux: New variants use phishing PDFs with obfuscation for data theft, cryptomining, and persistence across platforms. ChaosRAT New Variants
• SpyMax Android RAT: Fake Indian mobile “Wedding Invitation” app steals banking data, intercepts OTPs via WhatsApp-distributed APK. SpyMax Targets Indian Users
• Modified XWORM RAT by Chinese Actor: Trojanized MSI installer posing as WhatsApp, uses Donut shellcode and Telegram checks, C2 in East/Southeast Asia. Modified XWORM Distribution
• KimJongRAT Stealer Variants: New PE and PowerShell versions use Windows LNK files for infection targeting browser and crypto-wallet data. KimJongRAT New Variants
• Famous Chollima’s Python RAT: Python-based PylangGhost RAT targets crypto/blockchain sectors via fake job interviews, complementary to GolangGhost. Famous Chollima Python RAT

Phishing, Social Engineering & Initial Access

• LabHost Phishing-as-a-Service Infrastructure: FBI uncovers 42,000+ indicators including typosquatting domains supporting largescale phishing campaigns. LabHost PhaaS DNS Deep Dive
• Immunity Evasion with Long-Lived Domains: Advanced phishing uses long-lived domains and custom CAPTCHAs to evade detection and steal Microsoft credentials. Immunity Evasion in Phishing
• TxTag Phishing Scam: Campaign exploiting fake toll payment scenarios via GovDelivery to steal personal and credit card info. TxTag Phishing Email Schemes
• ClickFix Social Engineering Attack Chain: Exploits SAP NetWeaver CVE-2025-31324 via CAPTCHA-style phishing delivering loaders & infostealers such as GHOSTPULSE. ClickFix SAP Exploitation / ClickFix Attack Chain & Info Stealers
• Amatera Stealer & ClearFake Campaign: Rebranded ACR Stealer distributed through sophisticated ClickFix-based web inject campaigns targeting wallets and messaging apps. Amatera Stealer Advanced Campaign
• Kimsuky Group Phishing with Malicious HWP Docs: Uses paper review-themed phishing delivering password-protected payloads and persistence via AnyDesk manipulation. Kimsuky Malicious Research Papers

WordPress & Web-Based Threats

• Malicious WordPress Plugins: php-ini.php creates hidden admin backdoors activated via URL; wordpress-player.php silently redirects victims with WebSocket C2 control. Malicious WordPress Plugin Backdoor / WordPress Covert Redirector Analysis
• Protestware in npm Packages: Two UI toolkits embedded with protestware disabling UI and playing Ukrainian anthem on Russian-language sites, now removed. Protestware on npm Targeting Russia

Ransomware and Botnets

• BERT Ransomware Targets Multi-OS: Uses phishing, PowerShell scripts, and leaks data on dark web; controlled from Russian infrastructure. BERT Ransomware Campaign
• Prometei Botnet Resurgence: New Linux variants use UPX packing and custom configs focusing on cryptomining and credential theft with DGA and self-updating. Prometei Botnet 2025 Update
• Ransomware Gang Collapse & Qilin Rise: Established ransomware groups weaken while Qilin emerges with advanced cross-platform malware and innovative RaaS model. Ransomware Landscape 2025
• SimpleHelp RMM Vulnerability Exploited: Multiple ransomware actors abuse unpatched SimpleHelp to compromise utility billing software providers. SimpleHelp RMM Exploitation

Nation-State and Geopolitical Cyber Threats

• Iran-Israel Cyber Standoff: Pro-Iranian hacktivists waged large-scale DDoS and defacements; sophisticated espionage by Iran-aligned groups employs spear-phishing and DNS tunneling targeting regional adversaries. Iran-Israel Cyber Hacktivist Front / Iran-Israel Silent Cyber War
• BlueNoroff DPRK Threat Activity: North Korean APT uses Zoom extension phishing lures and extensive infrastructure pivoting targeting Web3 organizations. BlueNoroff Infrastructure Analysis
• Famous Chollima’s Targeted RATs: DPRK-linked actor uses Python and Golang RATs for cryptocurrency sector espionage via fake recruitment sites. Famous Chollima RATs
• Threats to NATO 2025 Summit: Russian and Chinese cyber-espionage, hybrid warfare, and disinformation campaigns threaten NATO countries, especially Eastern Europe. 2025 NATO Summit Threats
• Artificial Intelligence in PLA Military Intelligence: PLA invests in generative AI and LLMs for military analysis while managing risks from misinformation and ideological bias. PLA’s Use of Generative AI

Vulnerability Exploitation & Advanced Intrusions

• SAP NetWeaver CVE-2025-31324 Exploitation: Critical RCE vulnerability exploited by Chinese APTs and ransomware gangs via arbitrary file uploads; early detection by Darktrace noted. Tracking SAP NetWeaver Exploit
• ClickFix Exploit Linked to Multiple Threats: Vulnerability exploited for unauthorized RCE, delivering loaders KrustyLoader and JuicyPotato amid high-profile threat actor activity. ClickFix Vulnerability Attacks
• MySQL Server Targeting for RAT Deployment: Continuous attacks exploit weak MySQL configurations using Gh0stRAT variants and remote control tools like Zoho ManageEngine. MySQL RAT Attacks
• Malicious Excel File Delivering FormBook Payload: Phishing abusing CVE-2017-0199 delivers FormBook malware, enabling device control and data theft. FormBook via Malicious Excel
• Microsoft Exchange Credential Harvesting: Keyloggers implanted on Exchange login pages steal credentials from government organizations across 26 countries. Exchange Login Keylogger Attacks
• XDSpy Cyber-Espionage Campaign: Latest evolution exploits Windows LNK vulnerability to target Eastern European and Russian government entities using XDigo malware. XDSpy Campaign Analysis
• TaxOff and Team46 Exploit Chrome Zero-Day: Same threat actor group deploys Trinper backdoor via phishing against targeted organizations using CVE-2025-2783. TaxOff & Team46 Chrome Zero-Day

Malware Distribution & Ecosystem Vulnerabilities

• Stargazers Ghost Network Targets Gamers: Multi-stage malware infects Minecraft users through fake mods on GitHub, stealing credentials via Java loaders and .NET stealers. Minecraft Mod Malware
• Insecure GitHub Actions Workflows: Critical vulnerabilities in popular open-source CI workflows allow secret exfiltration and privilege escalation, patched after disclosure. Insecure GitHub Actions Discovered

AI-Powered Threats

• WormGPT AI-Powered Malware Generators: Advanced AI variants powered by Grok and Mixtral circumvent safety controls to create phishing and malicious code efficiently. WormGPT AI Malicious Variants
• “Living off AI” Atlassian MCP Attack: Novel prompt injection via Jira Service Management allows unauthorized access exploiting AI integrations in enterprise tools. Atlassian MCP AI Attack

Infostealers & Data Exfiltration

• Rhadamanthys Infostealer Campaign in Korea: Malware disguised as copyright documents uses DLL side-loading and evasion to steal email, banking, and FTP credentials. Rhadamanthys Infostealer Korea

Additional Noteworthy Threats

• Shadow Vector Campaign in Colombia: Legal-themed spear-phishing with SVG decoys delivering AsyncRAT, RemcosRAT, and driver-based privilege escalation. Shadow Vector Malware Campaign
• SadFuture XDSpy Malware Evolution: Uses XDigo malware exploiting Windows LNK flaw to target Eastern Europe and Russia, part of espionage activities. SadFuture XDSpy Update
• New Insight into MySQL Server Attacks: Gh0stRAT and others exploit vulnerable MySQL servers deploying RATs with UDF and legitimate admin tools. MySQL Server RAT Attacks
• May 2025 Ransomware Trends: Decline in new ransomware samples but ongoing impact worldwide including Korea; data from AhnLab and darknet leak monitoring. May 2025 Ransomware Trend Report

Threat Research | Weekly Recap – hendryadrian.com