Threat Research | Weekly Recap [21 Sep 2025]

hendryadrian.com

hendryadrian.com

Vulnerabilities & exploit risk

• Mass disclosure week — >1,045 vulnerabilities (Sept 10–16) with 135+ public PoCs accelerating weaponization across Apple, Zimbra, Samsung Android, Adobe Commerce and others. — Week in Vulnerabilities: 1,000+ Bugs
• SonicWall VPN compromise chain — attacker used a compromised SonicWall VPN + exposed recovery codes to uninstall agents and enable Akira ransomware execution. Highlights credential handling risk. — Akira via SonicWall VPN

Supply-chain & developer ecosystem attacks

• Novel self‑replicating npm worm (Shai‑Hulud) compromised 100s of packages, added postinstall bundle.js to steal tokens/credentials and persist via GitHub Actions; impacted tinycolor, CrowdStrike namespaces and many others. — Shai‑Hulud / npm supply‑chain worm
• Ongoing npm campaign — additional packages (including @ctrl/tinycolor and CrowdStrike-published packages) were repacked to scan for secrets and create exfiltration workflows. — Ongoing CrowdStrike/npm compromise
• Malicious PyPI packages (typosquatting) dropped the SilentSync RAT, enabling RCE, file exfiltration and browser data theft; recommended package hygiene and runtime monitoring. — Malicious PyPI → SilentSync
• MCP/Model‑Context Protocol risks — proof‑of‑concept MCP packages and malicious MCP servers can harvest env files, keys and tokens; researchers outline sandboxing, least privilege and human approval mitigations. — MCP & DevTools supply‑chain risks
• Tooling & detection updates — Sysdig, Trend Micro and others published detections/mitigation playbooks (Falco/Sysdig Secure, runtime monitoring, version pinning, credential rotation). — Sysdig detections for Shai‑Hulud

Malware, loaders, botnets & infostealers

• New multi‑variant loader — CountLoader seen in .NET, PowerShell and JScript variants fetching Cobalt Strike, Adaptix, PureHVNC and others; links to ransomware clusters including LockBit and BlackBasta. — CountLoader multi‑variant loader
• SystemBC proxy botnet — 80+ C2s and ~1,500 daily compromised VPS victims used as high‑volume proxies (REM Proxy); Lumen published IoCs to disrupt the operation. — SystemBC proxy botnet
• Info‑stealers & RATs — multiple commodity stealers active: Raven Stealer (Chromium creds → Telegram exfil), DeerStealer (signed binaries, long persistence), XillenStealer (Python GUI builder), Maranhão Stealer (Node.js reflective DLL injection). — Raven/Deer/Xillen/Maranhão summary
• Mac & cross‑platform threats — notarized ChillyHell macOS backdoor and ClickFix campaigns delivering Odyssey macOS stealer (AppleScript) abused Teams lures and replaced Ledger Live. — ChillyHell & Odyssey macOS activity
• Resurgent and evasion‑hardened loaders — SmokeLoader returned with updated variants and new evasion; PureHVNC/PureCoder and FileFix campaigns use loaders, steganography and multistage PowerShell to deploy stealers like StealC. — SmokeLoader / FileFix / PureHVNC
• USB/propagation & enterprise evasion — Hive0154’s Toneshell9 uses registry‑discovered proxies for proxy tunneling and SnakeDisk USB worm dropping Yokai backdoor targeting Thailand. — Hive0154: Toneshell9 & SnakeDisk
• RMM abuse & repackaged installers — attackers delivered PDQConnect/MSI and trojanized ScreenConnect installers to stage AsyncRAT and other custom RATs; initial access brokers targeted public administrations. — RMM abuse & AsyncRAT via ScreenConnect
• LLM‑enabled malware emergence — researchers found malware embedding prompts and API keys (MalTerminal, LameHug/PROMPTSTEAL), enabling runtime LLM misuse and new hunting opportunities via prompt/API‑key detection. — Prompts‑as‑Code & LLM‑enabled malware

Ransomware & extortion

• New & rising RaaS families — BlackLock (cross‑platform Go ransomware), Kawa4096 (brand‑mimicry, chunked Salsa20 encryption), Warlock/GOLD SALEM and Dire Wolf are active with double‑extortion leak sites and multilingual targeting. — BlackLock / Kawa4096 / Warlock / Dire Wolf
• Qilin & SLTT targeting — Qilin (Agenda) remains a top threat to US SLTT entities in Q2–Q3 2025, using RDP/exploits, double extortion and large ransom demands. — Qilin: top SLTT ransomware
• Data‑extortion evolution — ShinyHunters expanded to target enterprise cloud apps using AI voice phishing, insider recruitment and supply‑chain access to pursue seven‑figure demands and a ‘shinysp1d3r’ RaaS. — ShinyHunters extortion expansion

APT & state‑aligned operations

• Cross‑group collaboration — ESET observed Gamaredon tools used to restart/deploy Turla’s Kazuar implants in Ukraine; Gamaredon likely provides access and Turla targets high‑value machines. — Gamaredon × Turla collaboration
• Russia & Ukraine campaigns — APT28 (Operation Phantom Net Voxel) used weaponized docs, PNG steganography and Covenant/BeardShell implants; Fancy Bear deployed NotDoor Outlook backdoor targeting NATO countries. — APT28 / Fancy Bear campaigns
• China‑aligned espionage — TA415 used spearphishing and VS Code Remote Tunnels (WhirlCoil) against U.S. policy/think‑tank targets; CISA/Federal partners also released joint guidance on Salt Typhoon/SparrowDoor/ShadowPad activity. — TA415 & CISA advisory response
• North Korea deepfake ops — Kimsuky used ChatGPT to craft deepfake South Korean military ID images in spear‑phishing campaigns delivering obfuscated loaders. — Kimsuky AI deepfake spear‑phish
• South Asia targeting — APT‑C‑24 used LNK/HTA chains to memory‑load C# loaders and rapidly rotate C2s against government/military/energy targets. — APT‑C‑24 obfuscated LNK loader

Phishing, hosting abuse & ad‑fraud delivery

• Fake CAPTCHA gates on AI‑native hosting — attackers host credential‑harvesting CAPTCHA pages on Vercel, Netlify and similar platforms to evade scanners and scale phishing. — Fake CAPTCHA on AI hosting
• Targeted phishing waves — campaigns spoofing Politecnico di Milano, Microsoft Teams and using job/invoice lures targeted construction, hospitality and government sectors to deliver FormBook, VenomRAT and other RATs. — Targeted phishing → FormBook / VenomRAT
• SEO poisoning & typosquats — typosquatted PuTTY sites (putty[.]run) distributed a trojanized installer that drops the Oyster backdoor via scheduled tasks and DLL side‑loading. — SEO poisoning → Oyster backdoor
• Malvertising & adtech abuse — Vane Viper (PropellerAds‑linked) operates a resilient malvertising/TDS ecosystem using short‑lived domains, push abuse and service‑worker chaining to deliver malware and fraud. — Vane Viper ad‑fraud network
• Credential‑harvest domain cluster — PoisonSeed registered domains spoofing SendGrid and used fake Cloudflare CAPTCHA interstitials to harvest enterprise credentials. — PoisonSeed credential phishing

Detection, telemetry & defensive tooling

• Network monitoring guidance — Wazuh + Zeek integration walkthrough for unified Zeek log ingestion, enrichment, alerting and automated response to network threats. — Wazuh + Zeek network monitoring
• Autonomous security vision — Recorded Future outlines threat‑memory, actor recognition and autonomous decision engines (Intelligence Graph®) as foundations for AI‑driven defense. — AI for autonomous security
• RDAP & domain telemetry — WhoisXML’s TLD RDAP Monitor tracks RDAP/WHOIS support across 1,400+ TLDs to aid investigations and brand protection. — TLD RDAP Monitor
• Analyst workflow tools — Validin added Dashboard Feeds and daily PTR scanning to surface short‑lived reverse DNS indicators and IOCs. — Validin Dashboard Feeds & PTR
• Threat hunting & playbooks — AttackIQ, Sysdig, Zscaler and vendor blogs published IOCs, detection rules and playbooks for the above incidents (Shai‑Hulud, SystemBC, SmokeLoader). — IOCs & playbooks from vendors

Threat Research | Weekly Recap – hendryadrian.com