Threat Research | Weekly Recap [13 Jul 2025]

This weekly recap highlights recent developments in malware, ransomware, and exploitation techniques used by threat actors worldwide. It emphasizes emerging threats to critical infrastructure, cloud environments, and popular web platforms, along with geopolitical cyber conflicts. #Rhadamanthys #RedLineStealer #NordDragonScan #FoxyWallet #SafePayRansomware #AiLock #WingFTP #CitrixBleed #BloodHound #XMRigCoinMiner

Rhadamanthys Infostealer: Modular info-stealer using fileless PowerShell, evasion, and raw IP socket C2 communication. Read more
RedLine via Malicious Inno Setup Loader: Legitimate installers abused with Pascal scripts to stealthily deliver RedLine Stealer using sandbox evasion and DLL sideloading. Read more
Octalyn Stealer: C++/Delphi credential stealer disguised as forensic tool, exfiltrating via Telegram with modular obfuscated payloads. Read more
NordDragonScan: Windows infostealer delivered by weaponized HTA scripts stealing browser data and screenshots. Read more
Lumma Stealer Campaigns and Infrastructure: Multiple reports on Lumma Stealer exploiting GitHub, DNS registrars, and domain seizures highlight extensive malware distribution and evasion. Read more | Read more
Xworm RAT with Steganography: Distributed via phishing with malware hidden in JPGs decoded through PowerShell, complicating detection. Read more
FoxyWallet Malware Campaign: Over 40 fake Firefox extensions steal cryptocurrency wallet credentials by impersonating popular wallets like MetaMask and Coinbase. Read more

SafePay Ransomware: Emerging ransomware targeting MSPs and SMBs with AES/RSA encryption, endpoint protection disabling, and network share data exfiltration. Read more
AiLock Ransomware: Uses ChaCha20 and NTRUEncrypt with multi-threaded IOCP encryption, actively updating negotiation and leak sites. Read more
BERT Ransomware: Multi-platform ransomware active across Asia, Europe, & US utilizing PowerShell loaders and fast encryption targeting healthcare and technology sectors. Read more
Arkana Ransomware Profile: Linked to Qilin RaaS, uses stolen credentials and lateral movement rather than custom payloads, with major attacks like on WideOpenWest. Read more
Pay2Key Resurgence: Iranian-backed RaaS targeting Western organizations, adding Linux support and earning $4M+ in ransoms over four months. Read more

Wing FTP Server RCE (CVE-2025-47812): Actively exploited null byte and Lua injection leading to SYSTEM-level remote code execution thwarted by Defender. Read more
Citrix NetScaler ADC Vulnerabilities: CVE-2025-5777 (“CitrixBleed 2”) and others actively abused in the wild affecting Italian orgs; urgent patching required. Read more | Read more
Git Arbitrary File Write (CVE-2025-48384): Critical vulnerability affecting Git CLI and GitHub Desktop enabling remote code execution via malicious repositories. Read more
Gluestack-UI GitHub Actions Command Injection (CVE-2025-53104): Allows arbitrary command execution on CI runners risking secret exfiltration and repo compromise. Read more
SailPoint IQService RCE: Default encryption keys and missing authentication enable unauthenticated remote code execution, now mitigated by TLS and auth enforcement. Read more
In-Memory IIS Exploits by GoldMelody: Group uses leaked ASP.NET Machine Keys to execute stealthy payloads through ViewState deserialization attacks across US and Europe. Read more
Triada Android Malware Packer Ducex: Advanced Android packer using modified RC4 and anti-debugging complicates payload detection and forensic analysis. Read more

SPID Phishing Campaign: Fraudulent emails impersonate official SPID communications to steal credentials; CERT-AGID urges preventive measures. Read more
ClickFix and Related Campaigns: Social engineering vector delivering NetSupport RAT, Latrodectus, and Lumma Stealer via phishing and malicious commands. Read more
Logokit Phishing Campaign: Targets banking and logistics sectors with credential harvesting hosted on Amazon S3 and using Cloudflare Turnstile for legitimacy. Read more
Belarus-Nexus Downloader: Obfuscated C++ downloader delivered via malicious CHM file targets Poland and Eastern Europe under FrostyNeighbor/UNC1151. Read more
Fake/Phishing Domain Detection with Validin: HTTP/S features like favicon hashes and redirects help pivot and uncover phishing infrastructure and malicious domains. Read more

Stealthy PHP Malware in ZIP Archives: Injects redirects and SEO poisoning payloads in WordPress via concealed PHP inside ZIP to manipulate search rankings. Read more
WordPress Theme Code Injection: Attackers inject malicious code in theme files like footer.php to silently redirect visitors site-wide. Read more
AkiraBot SEO Spamming Framework: Using AI-generated messages and CAPTCHA bypass, it spams website chats and contact forms on 80k+ sites for low-quality SEO promotion. Read more

Funnull Infrastructure and Typosquatting: FBI report reveals 277k+ domains in crypto fraud campaigns from Oct 2023 to Apr 2025, highlighting DNS abuse patterns globally. Read more
Malicious Nameservers by DDoS-Guard: Research into Russian bulletproof hosting shows use of fast flux, domain obfuscation, and registrar hopping to back gambling and crypto abuse campaigns. Read more

Middle East Cyber Conflict: Escalating operations by Iran-Israel threat actors like Seedworm involve espionage, destructive attacks, and tools like BruteRatel targeting critical infrastructure. Read more
US Domestic Violent Extremists Shift: DVEs and HVEs increasingly focus on targeted high-profile physical threats and sabotage, leveraging geopolitical conflicts and tech advances. Read more

Cloud Intrusions on Azure & AWS: Multiple compromises analyzed where stolen credentials enabled data theft and ransomware, highlighting AI-driven anomaly detection importance. Read more
Malicious Pull Request Infects VS Code Extension: Supply chain attack inserts deceptive dependencies into ETHcode extension, emphasizing risks in software toolchains. Read more
Code Highlighting Package Malware: Open-source packages targeting blockchain devs abused extension registries to spread crypto theft malware and remote access Trojans. Read more

BloodHound and Associated Collectors: Tools like SharpHound and SoapHound map AD environments to discover attack paths, utilized by ransomware gangs such as Ryuk and Play. Read more
SLOW#TEMPEST Malware Obfuscation Techniques: Advanced CFG obfuscation and dynamic jumps thwart detection; described methods facilitate deobfuscation and improved analysis. Read more
Detecting Java Spring Authorization Flaws via Source Code Review: Presents practical SCR approaches to finding hidden privilege escalation bugs missed by dynamic testing. Read more
Beyond the Breach – Filtering Cyber Threat Noise: Framework to identify genuine threats amidst noisy, recycled, and fabricated breach data to enhance response efficacy. Read more

XMRig CoinMiner Attacks Exploiting GeoServer Vulnerability: Active exploitation of CVE-2024-36401 in South Korea deploying cryptominers using LOLBAS and multi-stage persistence. Read more
Crypto Wallet Theft via Social Media Scams: Cloud compromises of Azure and AWS lead to credential theft and ransomware, draining crypto wallets using tools like Rclone. Read more

SHARE THIS STORY