Threat Research | Weekly Recap [23 Nov 2025]

hendryadrian.com

hendryadrian.com

APTs & state-backed espionage

• Leaked APT35 corpus shows quota-driven IRGC operations exploiting Exchange (ProxyShell/Autodiscover/EWS), mailbox monitoring, KPI-driven ops. – APT35 leak
• GTIG details APT24’s multi-vector espionage using obfuscated BADAUDIO downloader, web/supply‑chain compromises, and Cobalt Strike payloads. – APT24 / BADAUDIO
• ToddyCat expanded toolset to exfiltrate browser creds, DPAPI keys, Outlook OSTs and M365 tokens via SMB collection and memory dumps. – ToddyCat email theft
• Group‑IB exposes a refreshed MuddyWater toolkit enabling international espionage with new implants and TTPs. – MuddyWater toolkit
• UNC1549 targeted aerospace/defense with spear-phishing, supplier compromise and custom backdoors (TWOSTROKE, DEEPROOT, etc.) using Azure/SSH tunnels. – UNC1549 analysis
• Curly COMrades abused Hyper‑V to host hidden Alpine VMs running custom implants (CurlyShell, CurlCat) for covert persistence and proxying. – Curly COMrades
• Contagious Interview: DPRK fake‑job platform lures AI/crypto talent into clipboard‑hijack workflows that deliver staged VBScript loaders and multi‑stage malware. – Contagious Interview
• Kimsuky campaign using wedding‑photo lures to deliver malware via social engineering (regional/actor attribution reporting). – Kimsuky wedding‑photo lure

Email, Outlook, and mailbox-focused threats

• NotDoor Outlook VBA backdoor (APT28) uses OneDrive DLL sideloading, encoded PowerShell, registry persistence and email‑triggered C2 detection artifacts. – NotDoor (Outlook)
• Exchange/Outlook‑centric campaigns and tools (mailbox monitoring, OST/Token theft) persistent in multiple APT operations. – Email‑centric theft (ToddyCat)

Messaging-borne banking malware (WhatsApp & worms)

• Water‑Saci campaign abused WhatsApp Web via Python/Selenium to propagate banking trojans and in‑memory payloads targeting Brazil. – Water‑Saci / WhatsApp
• STAC3150 WhatsApp campaign delivered downloaders that harvest WhatsApp session data and ultimately install Astaroth banking trojan via Selenium/WPPConnect. – Astaroth via WhatsApp
• Trustwave SpiderLabs found Eternidade stealer distributed through a WhatsApp‑propagating worm with MSI droppers and localized Brazilian targeting. – Eternidade / WhatsApp
• Maverick/Coyote banking trojans continue spreading via WhatsApp downloads and obfuscated loaders targeting Brazilian banks. – Maverick / Coyote

WSUS & software‑update exploitation

• Actors exploited WSUS RCE (CVE‑2025‑59287) to deploy Velociraptor from S3 and configure malicious update C2 endpoints for persistent C2. – WSUS → Velociraptor
• Separate findings show ShadowPad delivered via the same WSUS RCE chain using certutil/curl and ETDApix.dll sideloading; mitigation: patch WSUS and restrict access. – ShadowPad via WSUS

Ransomware & extortion trends

• October 2025 ransomware trends: Inc_Ransom dominance and new Qilin activity (notable attacks vs. Japanese firms) with DLS stats and detection signals. – Oct 2025 ransomware trends
• CISA/FBI update on Akira RaaS: documented TTPs include credential dumping, lateral movement, ChaCha20/RSA‑4096 encryption and high ransom demands. – Akira advisory
• Sarcoma profiled as a fast‑emerging double‑extortion RaaS targeting Windows/Linux/ESXi across US, Italy and Canada. – Sarcoma profile
• Lynx intrusion used valid RDP creds, rapid lateral movement, data exfiltration to temp.sh and backup deletion before encryption. – Lynx incident
• Analysis of The Gentlemen ransomware family, TTPs and observed campaigns. – The Gentlemen

Phishing, MFA bypass & social engineering

• Tycoon 2FA PhaaS uses real‑time Adversary‑in‑the‑Middle pages to capture credentials, session tokens and bypass legacy MFA with dynamic obfuscation. – Tycoon 2FA
• Phishing trends (Oct 2025): attachments dominated by Trojans (47%), heavy use of OLE downloaders and compressed JS droppers—regional focus on Korean campaigns. – Oct 2025 phishing trends
• Threat actor campaign delivering signed MSI/EXE installers via holiday/party invite lures to install persistent RMM tools (ScreenConnect, LogMeIn Resolve, Naverisk). – RMM via phishing lures
• Abuse of URL shorteners (t.ly, tinyurl, rebrand.ly, is.gd, goo.su, qrco.de) to scale credential phishing and malware delivery across multiple families. – URL shorteners abused

Malware ecosystems, supply‑chain & signed/packaged abuse

• “TamperedChef” global malvertising/SEO campaign uses acquired code‑signing certificates to distribute signed fake installers and obfuscated JS backdoors. – TamperedChef signed installers
• npm‑based campaign (dino_reborn) used Adspect cloaking to fingerprint and serve fake CAPTCHAs that redirect to malicious crypto‑phishing sites. – npm + Adspect cloaking
• Tsundere Node.js botnet installs via MSI/PowerShell, uses npm libs and stores WebSocket C2 addresses in an Ethereum smart contract. – Tsundere / blockchain C2

Infostealers, commodity malware & novel obfuscation

• AhnLab’s infostealer report: SEO‑poisoned crack/keygen distribution, DLL sideloading, and top families (Rhadamanthys, ACRStealer, LummaC2) with C2 patterns. – Infostealer trend report
• Masked‑in‑Memory Python sample unpacks a marshalled .pyc, injects into cvtres.exe and loads a .NET component for encrypted C2. – Hidden .pyc memory loader
• DarkComet RAT variant hidden inside fake Bitcoin tool RAR installs persistence, keylogging and beacons to hardcoded DDNS C2. – DarkComet Bitcoin lure
• Netskope shows LLMs (GPT‑3.5/4 and early GPT‑5 tests) can generate malicious code—LLM‑powered malware feasible but often unreliable; guardrails affect capability. – LLM‑powered malware
• “5 Ways Cybercrime Became a Subscription Business” highlights pay‑as‑you‑go services (phishing, OTP bots, access rentals) lowering attacker barriers. – Crime as subscription
• LOLBin abuses explained with interactive sandbox examples to reveal living‑off‑the‑land misuse and detection pointers. – LOLBin attacks guide
• macOS AppleScript droppers (.scpt) used as social‑engineered droppers for MacSync/Odyssey stealers, bypassing Gatekeeper via user interaction. – macOS AppleScript droppers

Network implants, update‑hijacking & C2 innovation

• ESET documents PlushDaemon using MIPS EdgeStepper implants to forward DNS, hijack updates and deploy SlowStepper backdoors via update‑hijacking chain. – PlushDaemon / EdgeStepper
• Larva‑24010 distributed trojanized VPN installer that deploys MeshAgent, gs‑netcat and new NKNShell using NKN/MQTT for C2; persistence via PowerShell downloaders. – NKNShell via VPN site

Detection, threat intelligence & defensive tooling

• Recorded Future showcases automated threat intelligence for machine‑speed detection, ML risk scoring and SIEM/SOAR/EDR integrations. – Threat intel automation
• Recorded Future’s Threat Intelligence Maturity Model (Reactive→Autonomous) and operationalization guidance for CTI teams. – Operational CTI model
• SentinelOne released a Validin + Synapse power‑up for time‑aware, cross‑source infra discovery and campaign expansion pivots. – Threat Hunting Power Up
• Datadog highlighted as a 2025 cloud security leader for linking code, observability and runtime security to reduce investigation complexity. – Datadog cloud security
• AttackIQ published Sandworm emulation content detailing webshells, living‑off‑the‑land TTPs and sample artifacts for red/blue teams. – Sandworm emulation

Threat Research | Weekly Recap – hendryadrian.com