Cyber Security News Daily Recap

Threat Research | Weekly Recap [14 Sep 2025]

admin
Threat Research | Weekly Recap [14 Sep 2025]

The weekly recap highlights continued double-extortion ransomware activity and copycat families, with Yurei leveraging open-source Prince code and healthcare remaining a major target. It also details rapid RATs, APT campaigns, supply-chain compromises, and evolving extortion trends, underscoring cross‑actor intrusions, AI‑assisted threats, and defensive guidance #Yurei #SafePay #BlackNevas #LunaLock #CyberVolk #ZynorRAT #MostereRAT

Ransomware & extortion activity

  • Double‑extortion and copycat families continue to proliferate — new Go‑derived ransomware group Yurei leverages open‑source Prince code; SafePay and BlackNevas run focused RaaS-like operations; healthcare remains heavily targeted. Yurei — Check Point
  • Pro‑Russia and hard‑to‑recover encryption techniques observed: CyberVolk uses dual ciphers with per‑file nonces that prevent decryption. CyberVolk analysis — AhnLab
  • High‑OPSEC, fast encryption campaigns from non‑RaaS actors (SafePay); victims across sectors with unique artifacts and rapid impact. SafePay — Bitdefender
  • Trend: ransomware groups threaten novel extortion uses — LunaLock threatens to sell/train AI models with stolen data. LunaLock extortion — CERT‑AGID
  • Investigations show single intrusions can feed multiple ransomware gangs (Play, RansomHub, DragonForce), complicating attribution and response. Multi‑gang intrusion — DFIR Report
  • Sector snapshot: sustained 2025 healthcare impact from families like INC, INTERLOCK, Qilin and others using phishing, CVE exploits and Cobalt Strike. Healthcare ransomware review — PolySwarm

Remote‑access trojans (RATs) & post‑exploitation toolsets

  • New Telegram‑backed Linux RAT: ZynorRAT (Go) uses Telegram bots for C2, file exfiltration, screenshots and systemd persistence — likely Turkish developer prepping sales. ZynorRAT — Sysdig
  • Phishing campaigns delivering staged RATs that deploy legit remote‑access tools: MostereRAT uses EPL‑based loaders, TrustedInstaller escalation and installs AnyDesk/TightVNC for covert full access. MostereRAT — Fortinet
  • Multi‑RAT campaign targeting Chinese users delivered ValleyRAT, FatalRAT and a hybrid kkRAT with crypto‑hijack and RMM abuse (Sunlogin/GotoHTTP). kkRAT family — Zscaler
  • Intrusion case showed chained RATs/backdoors (SectopRAT, SystemBC, Betruger) enabling credential theft (DCSync), lateral movement and exfiltration — likely affiliate operations. Multi‑tool intrusion — DFIR Report
  • Open‑source post‑exploitation framework AdaptixC2 observed in the wild; modular loaders and PowerShell artifacts used for persistence and exfiltration. AdaptixC2 — Unit 42

APT campaigns, nation‑state tooling & espionage

  • Fileless espionage in APAC: Chinese APT used EggStreme (in‑memory payloads + DLL sideloading) against a Philippine military contractor with 58 backdoor commands. EggStreme — Bitdefender
  • Mustang Panda variant (“Frankenstein” ToneShell) leverages DLL sideloading, rolling‑XOR C2 and GUID host IDs targeting Myanmar — useful C2/ DLL IOCs available. ToneShell variant — Intezer
  • North Korean‑linked APT37 used a Rust backdoor (Rustonotto), PowerShell backdoor and Python loaders to target South Korean interests with doppelgänging and stealth. APT37 operations — Zscaler
  • Cluster tracking: new domains and infrastructure tied to Chinese groups Salt Typhoon/UNC4841; defenders urged to search DNS/telemetry for 45 unreported domains. Salt Typhoon domains — Silent Push
  • Large‑scale espionage (PhantomCore): chains of RATs/stealers, reverse SSH and scheduled persistence with broad staging infrastructure identified. PhantomRAT campaign — PT Security
  • Lazarus Group 2025 activity: fake IT lures, hijacked OSS packages and tooling (InvisibleFerret, OtterCookie, PyLangGhost) aimed at credentials, crypto and IP. Lazarus 2025 roundup — ANY.RUN

Phishing, automation abuse & cloud email compromise

  • Automated, high‑success credential theft using the Axios user agent + Microsoft Direct Send — observed 241% spike; campaigns use QR codes and short‑lived domains. Axios/DirectSend abuse — ReliaQuest
  • Compromised AWS keys escalated SES accounts to production to send verified‑domain phishing at scale — novel multi‑regional and programmatic account techniques. AWS SES abuse — Wiz
  • SMS/social phishing themes: fake BMV/DMV ticket scams and GLP‑1 prescription lures harvest payment/ID data via rotating scam domains. DMV SMS scams — Malwarebytes
  • HijackLoader/ClickFix phishing chain: CAPTCHA pages and fake installers unpack obfuscated PowerShell that injects .NET PE droppers delivering stealers like Neko/Deer/Lumma. HijackLoader ClickFix — Seqrite
  • Malvertising + Node.js trojans disguised as AI apps (EvilAI) use code‑signing, professional UIs and stealers with AES‑encrypted C2; broad industry impact. EvilAI campaign — Trend Micro

Supply‑chain, OSS and repo compromise

  • Coordinated npm/OSS compromises inject wallet‑drainers that rewrite crypto destinations; campaigns abused maintainer phishing (npmjs.help) — check and reinstall packages. npm maintainer compromise — Aikido
  • DuckDB & other high‑profile npm accounts were compromised in the same supply‑chain campaign — obfuscated wallet drainer repeated across packages. DuckDB npm compromise — Socket
  • GitHub Actions supply‑chain theft (the Ghost Action campaign) exfiltrated 3,325 CI/CD secrets from abused workflows — rapid disclosure limited further abuse. Ghost Action — GitGuardian
  • Unit42: high‑value Salesforce data theft and supply‑chain incidents (Salesloft/Drift) show actors monetizing CRM data; expect shifts after law enforcement/mitigations. Salesforce/supply‑chain analysis — Unit 42

Malicious filetypes, loaders & evasion innovations

  • Weaponized SVG/SWF abused to run embedded JavaScript droppers and deliver phishing droppers — VirusTotal retrohunt found 523 related undetected SVGs impersonating Colombian justice sites. SVG campaign discovery — VirusTotal
  • BAT + SVG loaders and CDN hosting used to drop in‑memory RATs (XWorm, Remcos) with AMSI/ETW bypass and fileless techniques. BAT/SVG loader analysis — Seqrite
  • GPU‑gated implant (GPUGate) distributed via Google Ads + trojanized GitHub Desktop installer; hardware‑bound decryption evades many sandboxes. GPUGate — Arctic Wolf
  • SEO poisoning and fake software sites pushed installers (MSI) distributing Hiddengh0st and Winos with persistence and anti‑analysis features. SEO poisoning — FortiGuard Labs
  • Azure Functions used as C2: malicious ISO chain sideloads a DLL that phones home to an Azure sites endpoint — shows cloud function abuse for stealthy C2. Azure Functions C2 — dmpdump

Botnets, IoT & Linux malware

  • Modular Linux botnet LunoC2 combines crypto‑mining and many DDoS methods with self‑healing updates, strong anti‑analysis and hardcoded Monero wallet. Luno botnet — Cyble
  • Mirai‑based resurgence (previously “Gayfemboy”) now exploits multiple vendor router vulnerabilities for modular DDoS/backdoor campaigns across vendors. IoT botnet resurgence — Fortinet

Vulnerabilities & active exploitation

  • Critical SAP NetWeaver RCE (CVE‑2025‑31324) actively exploited since March 2025; attackers deploy JSP web shells and the Auto‑Color Linux backdoor against exposed dev servers. SAP CVE‑2025‑31324 — Seqrite
  • ACSC warns active exploitation of SonicWall SSL VPN (CVE‑2024‑40766) — upgrade firmware, reset SSLVPN creds, enable MFA and block malicious IPs. SonicWall exploitation — Cyble/ACSC
  • Sitecore ViewState deserialization (CVE‑2025‑53690) used to gain RCE and deploy reconnaissance/tunneling tools — actor chains include WEEPSTEEL/EARTHWORM. Sitecore exploitation — Google Cloud/Mandiant
  • UEFI/bootkit research: HybridPetya can install a UEFI bootkit and one variant leverages CVE‑2024‑7344 to bypass Secure Boot on vulnerable hosts (no in‑wild spread seen). HybridPetya — ESET
  • Exploit writeups and kernel research: Teredo race condition analysis (tunnel.sys bugcheck) and an eneio64.sys POC showing physical→virtual memory R/W abuse to escalate on Windows. Teredo bugcheck — Medium

Supply, infrastructure & crime‑linked investigations

  • Clop infrastructure traced to Alviva Holding Ltd (Seychelles shell network) linking ransomware ops to specific ASNs and historical abuse — useful for gathering threat intel and takedowns. Alviva/Clop investigation — The Raven File
  • Dark‑web actor profile: Telegram‑based Mr Hamza combines hacktivism with DDoS tool sales and bespoke Layer‑7 flooding tooling. Mr Hamza profile — SOCRadar
  • CI/CD exfiltrations (Ghost Action) and wide repo impacts underscore the need for secret rotation and registry mitigations after incidents. Ghost Action — GitGuardian

Threat trends, hunting & defensive guidance

  • Mid‑year threat review: actors increasingly use LLMs/AI to scale phishing/social engineering; ransomware‑as‑a‑service affiliates drive rapid encryptions. 2025 mid‑year threats — Darktrace
  • Practical hunting: pivot techniques (hosts, headers, DNS, certificates) remain productive months later; defenders should re‑run pivots regularly. Pivots revisited — Validin
  • Integrations to improve visibility: use Admin By Request with Wazuh to centralize privileged elevation telemetry and detect anomalous admin activity. ABR + Wazuh — Wazuh
  • Rare operational insight: an attacker’s accidental installation of Huntress EDR exposed toolchains, AI workflows and infrastructure choices — a reminder to instrument attacker telemetry. Attacker opsec blunder — Huntress

Threat Research | Weekly Recap – hendryadrian.com