Cyber Security News Daily Recap

Threat Research | Weekly Recap [26 Oct 2025]

admin
Threat Research | Weekly Recap [26 Oct 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. This week highlights a breadth of activity across ransomware, cloud and identity abuse, infostealers, APTs, phishing, and infrastructure abuse, with notable trends in cross‑platform extortion, OAuth persistence, ESP‑style backdoors, and supply‑chain abuse. The report also covers defensive tooling advancements, geopolitical cyber campaigns, and sector‑focused incident trends, including insights on detection challenges and emerging attacker techniques. #Global Group #Agenda #ToolShell #Lazarus #DeskRAT #StealthServer #PhantomCaptcha #COLDRIVER #PassiveNeuron #NetSupport #Tollbooth #VaultViper #UNC6229 #Tykit #JingleThief #Hiddengh0st #Winos #OdysseyStealer #NuGet #YouTubeGhostNetwork #Copish #AzureHound #OAuthAppPersistence #ADCS #M365 #PDFObjectHashing #YARA #MSIX #GlobalGroup #PremierPassasAService #DarkCovenant #ProRussia #KoreanFinance

Ransomware & extortion

  • RaaS operation with cross-platform Go payloads, AI-assisted extortion and ties to Mamona/BlackLock — Emulating Global Group
  • Linux ransomware deployed on Windows via remote-management tools, BYOVD techniques and stolen Veeam creds (impacting hybrid environments) — Agenda (Qilin) Linux variant
  • SharePoint ToolShell exploitation linked to China-aligned activity and use of LockBit/Warlock-era tactics — Warlock origins
  • Q3–Sept surge in ransomware (Qilin prominence), industry/country stats and three-year trends — Sept 2025 Ransomware trends
  • Post-incident analysis of a large BlackBasta breach highlights detection/AD failures, exfiltration methods and remediation lessons — BlackBasta lessons
  • Scattered LAPSUS$ Hunters: extortion-as-a-service, data theft and new extortion actor activity (SHINYSP1D3R claim) — Scattered LAPSUS$ Hunters

Cloud & identity abuse

  • Open-source Azure enumerator abused for cloud discovery and privilege mapping; monitor Microsoft Graph, Entra sign-in logs and azurehound/ user-agents — AzureHound misuse
  • Attackers automate malicious internal OAuth apps for persistent tenant access (survives creds/MFA resets); remediation: revoke client secrets/remove apps — OAuth app persistence
  • Copilot Studio agents abused to wrap OAuth consent flows and exfiltrate tokens via legitimate Microsoft domains — CoPhish (Copilot Studio)
  • Unicode/zero-width characters used to bypass reserved-name protections and register deceptive Azure apps (patched) — Azure App‑Mirage
  • Querying Azure WireServer from compromised VMs to fetch & decrypt VM extension “Protected Settings” for pivoting; MicroBurst scripts provided — Azure WireServer decryption
  • ADCS misconfigurations and Certipy/Certify-driven ESC techniques enable certificate-based privilege escalation across on‑prem/hybrid domains — ADCS privilege escalation
  • Decoded Microsoft 365 audit log numeric bitfield for UserAuthenticationMethod to translate opaque auth flags (helps investigations) — M365 auth bitfield decode

Infostealers, gamers & wallet theft

  • Vidar Stealer 2.0: C rewrite with multithreading, anti-analysis, AppBound bypass and polymorphic builder — Vidar Stealer 2.0
  • Analysis of the Lumma infostealer distributed via MaaS and pirated‑software sites; recommends EDR behaviour detections (link not provided) — Lumma infostealer analysis
  • Python infostealer RedTiger targets gamers (Discord tokens, wallets, game accounts) and exfiltrates via GoFile+Discord webhook — RedTiger infostealer
  • New Python RAT impersonates a Minecraft client (“Nursultan Client”) and uses Telegram Bot API for C2 to steal tokens/screenshots — Nursultan Client RAT
  • Node.js cross‑platform RAT/infostealer OtterCandy (v2 adds victim_id, expanded Chromium/extension theft) — OtterCandy
  • macOS campaign impersonates developer tools to trick users into executing installers delivering Odyssey Stealer and AMOS across many phishing sites — Odyssey Stealer (macOS)
  • NuGet homoglyph typosquat (Netherеum.All) impersonated Nethereum to XOR-exfiltrate wallet keys — NuGet typosquat
  • YouTube Ghost Network uploaded thousands of malicious videos to distribute infostealers (Lumma → Rhadamanthys) via abuse of platform features — YouTube Ghost Network
  • Malicious Chrome extension “Mac Spoofer” delivered via ZIP attachment with installation instructions to sideload and steal credentials — Mac Spoofer extension

RATs, APTs & targeted backdoors

  • Lazarus Operation DreamJob targets European UAV/defense suppliers with trojanized OSS, DLL side‑loading and the ScoringMathTea RAT to steal manufacturing IP — Lazarus targets UAV sector
  • APT36 / TransparentTribe deployed Golang DeskRAT to Linux targets using .desktop lures and WebSocket C2 with Linux persistence vectors — DeskRAT (APT36)
  • Cross‑platform Golang backdoor StealthServer (file theft, C2 exec) delivered via diverse loaders with ties to APT36‑style lures — StealthServer (APT36)
  • Multi-stage WebSocket RAT (PhantomCaptcha) used in single‑day spearphishing vs NGOs/Ukraine with fake Cloudflare captchas and Android lures — PhantomCaptcha WebSocket RAT
  • COLDRIVER replaced LOSTKEYS with NOROBOT/YESROBOT/MAYBEROBOT families, evolving ClickFix lures and loader tactics — COLDRIVER new malware
  • PassiveNeuron espionage campaign deployed Neursite/NeuralExecutor implants, Cobalt Strike and DLL loaders against high‑profile servers across Asia/Africa/LatAm — PassiveNeuron campaign
  • NetSupport Manager abused via ClickFix social engineering to deliver NetSupport RAT loaders (PowerShell/MSI/JSON) across clustered actor groups; YARA and unpackers available — NetSupport via ClickFix
  • SharePoint ToolShell exploitation used to drop loaders/backdoors (Zingdoor, KrustyLoader, ShadowPad) in telecom breaches — ToolShell exploit campaigns
  • Mass IIS compromises using exposed ASP.NET machine keys to install malicious modules/rootkits (TOLLBOOTH/HijackServer) for SEO fraud and stealthy remote control — IIS compromises (TOLLBOOTH/HijackServer)

Phishing, smishing & social-engineering campaigns

  • Vietnam-based cluster UNC6229 uses fake job postings and CRM abuse to deliver RATs and steal advertising/social account credentials (MFA‑capable phishing kits) — UNC6229 fake job postings
  • Huge China‑based smishing campaign using hundreds of thousands of short‑lived domains to impersonate services and harvest credentials — Global smishing campaign
  • Phishing kit Tykit uses SVGs + obfuscated JS and CAPTCHA/trampoline steps to steal Microsoft 365 credentials at scale — Tykit phishing kit
  • Server‑orchestrated phishing script selects random domains and does dynamic page replacement with dual UUIDs to evade detection and steal creds — Server‑orchestrated phishing script
  • Cloud‑based gift‑card fraud campaign (Jingle Thief) abuses phishing/smishing to steal M365 creds and persist via device/authenticator registrations — Jingle Thief campaign

Malicious infrastructure, DNS & SEO abuse

  • DNS/domain analytics techniques to detect fast‑flux, recurring infra patterns and soon‑to‑be‑malicious assets despite CDN/cloud abuse — Detecting Fast Flux & infra patterns
  • WhoisXML Q3 2025 domain activity: 25.7M+ new domains, 3.2M+ IOCs, TLD/registrar trends and anomalous ccTLD behaviours — Q3 2025 domain activity
  • SEO‑poisoning campaign using malicious plugins/look‑alike sites to deliver Hiddengh0st and Winos; expanded DNS/IOC footprint mapped — Hiddengh0st/Winos SEO poisoning
  • iGaming white‑label operator (Vault Viper) distributed a custom “Universe Browser” routing traffic via China and installing persistent RAT‑like programs supporting fraud and money‑laundering networks — Vault Viper iGaming operator

Detection, hunting & defensive tooling

  • PDF Object Hashing fingerprints PDFs via internal object structure to detect/cluster obfuscated or encrypted malicious PDFs — PDF Object Hashing
  • Continuous YARA on live host response data with timestamped/contextual detections, rule versioning and collaborative projects — YARA continuous detection
  • MSIX packaging abused to deliver elevated loaders/RA‑tools; MSIXBuilder + Splunk analytics provided to generate test packages and detect abuse (FIN7/Storm‑0569) — MSIX weaponization & MSIXBuilder
  • AttackIQ emulation/attack graph to validate detections against Global Group RaaS behaviours — Global Group emulation
  • Survival‑analysis (Kaplan–Meier) applied to Qualys VMDR in Elastic to produce more accurate time‑to‑patch metrics and SLO measurements — Time‑to‑Patch survival analysis

Supply‑chain & repository abuse

  • Homoglyph typosquat on NuGet (Netherеum.All) exfiltrated wallet keys; packages removed after discovery — NuGet typosquat
  • PyInstaller binaries and signed developer certs used widely to distribute gamers‑focused stealers and RATs (multiple campaigns) — PyInstaller/signed binaries in gamer malware

Geopolitical campaigns & ecosystem trends

  • Trend toward collaborative “Premier Pass‑as‑a‑Service” models enabling shared access and coordinated deploy of CrowDoor/ShadowPad across China‑aligned espionage campaigns — Premier Pass‑as‑a‑Service
  • Operation Endgame and selective Russian enforcement reshaped the cybercrime ecosystem (takedowns, rebrands, OPSEC tightening) — Dark Covenant 3.0
  • Pro‑Russia information operations amplified narratives around Polish airspace drone incursions to shift blame and undermine NATO/Poland — Pro‑Russia info ops
  • Sept 2025 incidents in Korean/global financial sector: DB leaks, ransomware (Qilin), supply‑chain and credential leak trends affecting finance — Sept 2025 finance sector incidents

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint