Threat Research | Weekly Recap [17 Aug 2025]

hendryadrian.com

hendryadrian.com

Phishing & Credential-harvesting Campaigns

• Phishing remains dominant — HTML/script attachments, exploit docs (CVE-2017-11882) and credential-harvesting links delivered Lokibot and compressed PEs. July 2025 Phishing Trends
• APT Sidewinder used Netlify/Pages.dev fake portals to harvest credentials across Bangladesh, Nepal and Turkey with centralized collection domains. Sidewinder Netlify Phishing
• Iran-linked Educated Manticore employed fake Gmail/Meet pages to steal creds and 2FA from Israeli targets; researchers published 141 IoCs. Educated Manticore DNS Analysis
• ShinyHunters resurfaced targeting Salesforce via ticket-themed domains and Okta phish pages; ties to Scattered Spider suspected. ShinyHunters Salesforce Activity
• PowerShell-based ClickFix/Teams lure led to a multi-stage loader (C2: pharmacynod), delivering a PowerShell RAT. From ClickFix to Command
• WordPress sites injected fullscreen iframes (domains like capcloud[.]icu) to prompt Windows users into running Base64 PowerShell payloads. Malicious JS iframe on WordPress
• Proofpoint demoed an AiTM “phishlet” that can force a FIDO downgrade to weaker auth — a theoretical risk to passkey protections. FIDO Authentication Downgrade
• macOS-targeted phishing delivered an AppleScript stealer (Odyssey Stealer) via fake CAPTCHA/terminal commands to harvest browsers, wallets and Keychain. Odyssey macOS Stealer
• Android banking trojan Lazarus Stealer (not DPRK-linked Lazarus) abused overlays and SMS interception to steal Russian banking credentials and OTPs. Lazarus Stealer (Android)

APT Activity, State Actors & Strategic Campaigns

• New Linux FireWood backdoor variant retains RAT features but changes persistence/command handling; linked to Project Wood lineage. FireWood Variant
• Void Blizzard (Laundry Bear) — Russian-state group using credential theft, QR/AiTM phishing and cloud abuse against NATO/EU targets; activity traced to 2024–2025 incidents. Void Blizzard Profile
• Long-running Lazarus Group profile: espionage and financially motivated ops including supply-chain campaigns and high‑profile cryptocurrency attacks. Lazarus Group Profile
• Trend observed a new targeted ransomware, Charon, using APT-style DLL sideloading/process-injection techniques and overlap with Earth Baxia toolchains. Charon Ransomware Campaign
• Regional surge around India’s Independence Day: state-linked groups (e.g., APT36, SideCopy, APT41) plus criminal phishing/DDoS campaigns targeting gov and critical sectors. Threats Targeting India

Ransomware, Extortion & Post-exploitation Techniques

• RDP compromise led to deployment of KawaLocker (KAWA4096); attacker used HRSword to disable security, deleted VSS and encrypted the E: volume. KawaLocker Incident
• LeeMe ransomware used SAP Ariba-themed lures, password-protected GoFile payloads, AES‑256 encryption and embedded exfiltration (keylogger/credential theft). LeeMe via SAP Ariba Lure
• Crypto24 blends legitimate admin tools (PsExec, AnyDesk) with custom malware (e.g., RealBlindingEDR) to persist, exfiltrate via Google Drive and evade EDR. Crypto24 Ransomware Tactics
• Sinobi (rebrand of Lynx) operates mature RaaS with double extortion and introduced USB spreading and Windows Credential Manager theft. Sinobi / Lynx Rebrand
• Supply-chain-themed impacts and sector incidents hit Korean/global finance with leak, ransomware (e.g., DAIXIN) and DDoS affecting insurers and banks. July 2025 Financial Sector Issues

Loaders, Malware Platforms & Source-code Leaks

• CastleLoader used Cloudflare-themed ClickFix phishes and fake GitHub repos to deliver a range of stealers and RATs targeting U.S. government entities. CastleLoader Campaign
• GitHub distribution of SmartLoader disguised as legitimate projects (game cheats/cracks) to deploy loaders like Rhadamanthys and persist via Task Scheduler. SmartLoader via GitHub
• Oyster malvertising returned with a trojanized PuTTY spoof, scheduled-task persistence, cloud CDN second-stage and AV‑evasion via GDI noise. Oyster Malvertising Campaign
• Full-source leak of ERMAC v3.0 exposed backend code, builders and weaknesses (hardcoded JWT/static tokens) tying to active C2 and builder infra. ERMAC v3.0 Source Leak
• VexTrio adtech/traffic-fraud platform and legacy spam/scam operations — trackers, cloakers and affiliate networks funnel victims into scam landing pages. VexTrio Adtech Deconstruction
• VexTrio follow-up: sustained spam/fraud enterprise tying domains like datingcell[.]com and mail.holaco[.]de to scam apps and smartlink flows. VexTrio Legacy Profile

Vulnerabilities, Exploits & Patch Urgencies

• WinRAR CVE-2025-8088 (path traversal/ADS) was exploited in the wild by RomCom (Storm-0978/UNC2596) and others to drop backdoors like Mythic Agent, SnipBot, RustyClaw and MeltingClaw; update to WinRAR 7.13. WinRAR Zero-day Exploitation
• ESET advisory and remediation guidance echoed the WinRAR zero-day details and urged immediate updates for UnRAR consumers. Update WinRAR Tools Now
• Fortinet SSL‑VPN CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) continue to be exploited for unauthenticated RCE leading to scanning, credential theft and RDP persistence; containment via automated blocking was effective in observed incidents. Fortinet SSL‑VPN Exploitation
• Erlang/OTP CVE-2025-32433 allows unauthenticated RCE via the native SSH daemon; exploit attempts targeted OT firewalls—apply OTP patches. Erlang/OTP SSH Vulnerability
• Postgres RCE (“Rusty Pearl“) chaining PL/Perl and PL/Rust demonstrated at DEF CON; vendors released patches—upgrade PL components and monitor RDS. Rusty Pearl (Postgres RCE)
• Weekly vulnerability roundup: Cyble logged 717 new CVEs (222 PoCs) including issues in Trend Micro Apex One, D-Link and browser engines—prioritize high-impact patches. The Week in Vulnerabilities

Supply-chain, Package Repositories & Cloud-native Risks

• PyPI supply-chain Trojan: termncolor pulled a malicious dependency (colorinal) that decrypted and DLL-sideloaded signed binaries to run discovery and C2 over Zulip-like traffic. PyPI termncolor / colorinal
• Public .git repository leak exposed 20+ GB of source, credentials and >1M PII records from an automotive vendor — trivial extraction via tools like GitDumper. Vendor .git Leak & PII Exposure
• Datadog Q2 recap: surge in supply-chain and cloud-native persistence (malicious VS Code extensions, obfuscated NPM, cryptominer deployments and novel AWS Lambda “persistence-as-a-service”). Datadog Q2 Cloud Threat Roundup
• Azure resource attribution technique (ATEAM) can enumerate tenant IDs from auth responses, enabling mapping of public resource hostnames to owning tenants. ATEAM: Azure Tenant Enumeration

AI/LLM Integration Risks & Model Context Protocol (MCP)

• MCP servers (LLM tooling) are vulnerable to DNS rebind and session hijack, exposing internal APIs—defenses include mTLS, host validation and segmentation. MCP DNS Rebind Attack
• Guidance on securing MCP highlights tool-poisoning, session hijacking, ANSI-escape injection and typosquatting risks — prioritize auth, governance and observability. Securing LLM MCP
• Grammarly’s adoption of Wiz + MCP Server reduced triage times and demonstrates controlled LLM automation for hunting/detection while keeping humans in loop. Grammarly MCP Automation
• Research shows AI enables a resurgence of Trojan-style decoys (JustAskJacky, TamperedChef) that evade static scanners and use steganography/scheduled tasks for persistence. JustAskJacky & AI Trojans
• REVENANT: a fileless, self-assembling methodology chaining font downloads, clipboard abuse, AI prompt poisoning and telemetry exfiltration to persist and evade detection. REVENANT Executionless Threat

Cross-platform Tooling, C2 & Detection Research

• CrossC2 extends Cobalt Strike beacons cross-platform (C/C++) with loaders like ReadNimeLoader and overlaps with BlackBasta infra; JPCERT published a config parser. CrossC2 Cross‑Platform Beacon
• Analysis tutorials and IoC collection: Donut-generated shellcode walkthrough and Snake Keylogger detonation produced Suricata rules to detect Base64 SMTP exfiltration. Donut Shellcode Tutorial / IoC Collection & Snake Keylogger
• Researchers exposed an affiliate advertising/traffic distribution platform (VexTrio) and detailed trackers, cloakers and CDNs used to scale malvertising, scareware and spam. Inside VexTrio Ad Platform

Threat Research | Weekly Recap – hendryadrian.com