Threat Research | Weekly Recap [28 Sep 2025]

hendryadrian.com

hendryadrian.com

Malware & Info‑stealers

• Phishing using SVG/AI obfuscation delivered CHM→HTA loaders and JS, deploying Amatera Stealer and PureMiner and enabling credential/wallet theft and cryptomining; observed against Ukraine. Fortinet: SVG Phishing (Amatera/PureMiner)
• Spear‑phish with banking lure delivered VB6 DarkCloud v3.2 info‑stealer — browser/password/wallet theft, keystroke/clipboard capture, sandbox evasion and multiple exfil methods. eSentire: DarkCloud analysis
• HeartCrypt packer‑as‑a‑service modifies legit EXEs with position‑independent loaders and XOR payloads to distribute RATs/stealers (Lumma, AsyncRAT, Rhadamanthys) and an AV killer. Sophos: HeartCrypt packer service
• XWorm is a modular .NET RAT MaaS (keylogger, clipper, persistence, optional ransomware) with diverse delivery chains used by multiple groups. LogPoint: XWorm analysis
• New YiBackdoor family (code overlap with IcedID/Latrodectus) injects into svchost, uses Run registry persistence and dynamic TripleDES C2 keys. Zscaler: YiBackdoor
• Steam game patch for BlockBlasters delivered backdoor and StealC stealer to players, exfiltrating system and wallet data. G Data: BlockBlasters malware
• GreedyBear campaign used malicious Firefox extensions and executables to steal >US$1M via targeted phishing and extension abuse. Koi Security: GreedyBear deep dive
• macOS XCSSET evolved: added Firefox data exfiltration, clipboard wallet‑address substitution, LaunchDaemon persistence and run‑only AppleScript execution. Microsoft: XCSSET update
• North Korea‑linked operators used ClickFix/social engineering to distribute BeaverTail and InvisibleFerret via fake hiring sites. GL‑Security: BeaverTail/InvisibleFerret
• Vietnamese actor(s) shifted from PXA Stealer to PureRAT via multi‑stage in‑memory loaders and .NET process hollowing; related Lone None campaigns used copyright‑takedown lures and Telegram C2s. Huntress: PureRAT / actor evolution
• Large malvertising campaign impersonating TradingView across Meta, Google and YouTube delivered multi‑stage downloaders/stealers that persist via scheduled tasks and Defender exclusions; expanded to macOS/Android. Bitdefender: TradingView malvertising

Supply‑chain & Repository Abuse

• Self‑propagating npm worm Shai‑Hulud trojanized >500 packages (including @ctrl/tinycolor), hijacked maintainers, injected postinstall scripts to steal tokens/keys and propagate. SecureList: Shai‑Hulud npm worm
• Multiple malicious packages abused registries: a QR‑steganography npm package fezbox stole browser cookies/passwords, and two Rust crates impersonating fast_log scanned repos for Solana/Ethereum keys and exfiltrated matches. Socket: Malicious npm & Rust packages

Botnets, Loaders & DDoS

• ShadowV2 DDoS‑for‑hire uses GitHub Codespaces C2, Python spreader with Docker, and a Go RAT with HTTP/2 rapid reset and Cloudflare UAM bypass to enable large HTTP floods. Darktrace: ShadowV2 botnet
• Loader‑as‑a‑Service infrastructure exploited SOHO router/IoT command‑injection and enterprise app flaws to distribute multi‑arch loaders (Morte, Mirai, RondoDoX) and cryptominers, driving a July–Aug attack spike. CloudSEK: Loader‑as‑a‑Service

Ransomware, Cloud & Major Operational Impacts

• LockBit 5.0 analyzed: Windows, Linux and ESXi variants with heavy obfuscation, in‑memory DLL reflection, ETW patching and ESXi VM‑wide encryption. Trend Micro: LockBit 5.0
• Widespread disruptions across European airports after an incident impacting Collins Aerospace’s MUSE passenger processing platform; investigations point to multiple plausible actors though no definitive family confirmed. CYFIRMA: MUSE incident analysis
• Jaguar Land Rover global IT outage (Sep 2025) halted manufacturing/retail; leaked data and prior infostealer/Jira credential abuse increased follow‑on risk. CYFIRMA: Jaguar Land Rover investigation
• Ransomware actors increasingly steal and abuse AWS programmatic keys (Pacu usage) to enumerate/escalate cloud access; rapid detection (disable keys, audit, monitor control‑plane telemetry) limited impact in investigated cases. Varonis: Stolen AWS keys risk

State‑aligned APTs & Long‑term Espionage

• Salt Typhoon (PRC‑aligned) MSS‑directed program targets telco/defense with router/rootkit implants, contractor‑enabled infrastructure and VoIP/lawful‑intercept collection. DomainTools: Salt Typhoon
• RedNovember (TAG‑100) targeted gov/defense/tech using Go backdoors (Pantegana), LESLIELOADER, SparkRAT and appliance compromises (SonicWall, Fortinet, Palo Alto, Ivanti, Check Point). Recorded Future: RedNovember
• Nimbus Manticore (Iran‑nexus) used tailored spear‑phishing and DLL side‑loading families (MiniJunk/MiniBrowse) to target defense, telecom and aviation in Europe/Middle East. Check Point: Nimbus Manticore
• COLDRIVER (Russia‑linked) updated toolkit with BAITSWITCH downloader and SIMPLEFIX PowerShell backdoor delivered via ClickFix social engineering. Zscaler: COLDRIVER updates
• Long‑running campaign abusing DLL search order hijacking delivered a new PlugX variant with overlaps to RainyDay and Turian—attributed to Naikon by Cisco Talos. Cisco Talos: PlugX / RainyDay

Web & Infrastructure Compromise

• BRICKSTORM Go backdoor (UNC5221‑linked) targets network/virtualization appliances (Linux/BSD, vCenter/ESXi) for long‑term stealth, credential theft and VM cloning; includes YARA, IOCs and hunting guidance. Google Cloud: BRICKSTORM
• Compromised WordPress sites hosted hidden backdoors that created persistent admin accounts, exfiltrated credentials and injected visitor scripts for long‑term control. Sucuri: Hidden WordPress backdoors
• Operation Rewrite used BadIIS modules and SEO poisoning to serve content to crawlers and proxy victims to scam sites—targeting East/Southeast Asia with Chinese‑speaking actor links. Unit42: Operation Rewrite (BadIIS)
• CISA advisory on CVE‑2024‑36401 (GeoServer) details multi‑week compromise chains (RCE, web shells like China Chopper, Stowaway C2, lateral movement) and recommended mitigations; AttackIQ published emulation templates. CISA: GeoServer advisory & lessons
• Telecom sector phishing surge (May–Jul 2025) abused brand impersonation, DGA‑like domains and the Tycoon2FA kit to harvest Microsoft creds and bypass 2FA—actionable IOCs produced for proactive hunting. ANY.RUN: Telecom phishing surge

Techniques, Infection Chains & Tooling

• Windows shortcut (.LNK) infection chain: Discord‑delivered LNK drops ZIP with malicious DLL executed via odbcconf.exe, disabling AMSI/ETW and persisting via Winlogon Shell modification. K7: LNK → RAT chain
• Zloader updates: Zeus‑based modular trojan revived with obfuscation, DNS tunneling + WebSocket C2, LDAP discovery commands and custom Base32+XOR DNS encryption—shifting to targeted initial access for ransomware. Zscaler: Zloader technical update
• Techniques observed across campaigns include DLL sideloading, process hollowing, .NET AOT/in‑memory loaders, reg persistence (regsvr32/run keys), and Defender‑exclusion persistence tactics. Representative: TTPs & anti‑analysis summary

Defensive Guidance & Incident Response

• Based on >7,000 IRs, the 11 Essential Cybersecurity Controls prioritize phishing‑resistant MFA, EDR, telemetry and fast response to reduce dwell time and impact. Cybereason: 11 essential controls
• Managed EDR: human‑led, telemetry‑driven investigations are key to distinguish malicious activity, determine root cause and enable remediation (real cases: RMM abuse, Akira, RedCurl). Huntress: Managed EDR
• AttackIQ published emulation templates for the CISA GeoServer incident (AA25‑266A) to validate detection and response controls across Linux/Windows post‑compromise TTPs. AttackIQ: CISA emulation templates

AI & LLM Security

• Model Context Protocol (MCP) risks: indirect prompt injection and RUG Pull attacks can embed hidden instructions or replace trusted tools, enabling stealthy exfiltration or unauthorized actions in LLM workflows. Netskope: MCP & invisible backdoors
• Microsoft detected an AI‑obfuscated SVG credential‑phishing campaign and demonstrated AI‑powered message/context protections in Defender for Office 365 that blocked the attack. Microsoft: AI‑obfuscated phishing

Threat Research | Weekly Recap – hendryadrian.com