EmEditor’s official MSI installers were replaced with maliciously-signed packages between December 19–22, 2025, delivering an information‑stealing payload that collects system data, credentials, and files before exfiltrating them to attacker-controlled C2 infrastructure. The campaign also installs a persistent browser extension named “Google Drive Caching” with extensive data‑stealing, clipboard‑hijacking, and remote‑control capabilities. #EmEditor #GoogleDriveCaching
Tag: EDR
A kernel-mode malicious driver (ProjectConfiguration.sys) signed with a leaked certificate was used to inject a new ToneShell backdoor into system processes and to protect malicious files, registry keys, and user-mode processes. This activity is attributed to the HoneyMyte APT and uses ToneShell connecting to avocadomechanism[.]com and potherbreference[.]com for C2 communication. #ToneShell #HoneyMyte
Mustang Panda, a Chinese espionage group, has been deploying advanced kernel-mode rootkits and signed drivers to evade detection in their cyberattacks targeting Asian governments and military organizations. The group’s evolving tactics include using sophisticated techniques like API obfuscation and registry monitoring to stealthily infiltrate and persist in victims’ systems. #MustangPanda #ToneShell…
CYFIRMA attributes a targeted multi-stage, fileless espionage campaign to APT36 (Transparent Tribe) that uses weaponized LNK files masquerading as PDFs to deliver HTA loaders and in-memory .NET deserialization payloads. The operation deploys configuration and RAT payloads (ReadOnly/WriteOnly -> ki2mtmkl.dll, iinneldc.dll), adapts persistence based on detected AV products, and maintains encrypted C2 communications to 2.56.10.86 for surveillance and data exfiltration. #APT36 #ReadOnly
Cybercriminals are increasingly using sophisticated ClickFix tools like ErrTraffic v2 to trick users into executing malicious scripts through visual deceptions and fake glitches. These tools are sold cheaply, with high conversion rates, and can target multiple platforms while bypassing modern defenses. #ErrTraffic #ClickFix
Cybersecurity experts have uncovered a targeted spear-phishing campaign using malicious npm packages to facilitate credential theft across critical infrastructure sectors. Attackers leveraged package hosting for resilient, embedded phishing elements that mimic secure document-sharing platforms, with a focus on organizations in manufacturing, healthcare, and industrial automation. #Evilginx #npmsecurity…
Hunt.io and Acronis mapped a broad DPRK operational infrastructure linking Lazarus, Kimsuky, and related subgroups through reused open directories, credential-harvest toolkits, FRP tunneling nodes, and certificate-linked clusters. The investigation exposed a new Linux Badcall variant, widespread MailPassView/WebBrowserPassView staging, identical FRP deployments on port 9999, and certificate pivots that reveal larger Lazarus ecosystems. #Lazarus #Badcall
Arkanix Stealer is an actively developed credential‑theft malware family distributed via Discord and forums that exists in both Python and a paid C++ “Premium” edition and uses VMProtect obfuscation, AMSI/ETW bypasses, anti‑VM/debugging checks, ChromElevator process hollowing to defeat App‑Bound Encryption, and HTTP POST exfiltration to arkanix[.]pw. The operators host a gated control panel and expose infrastructure mistakes that reveal origin IPs used for C2 and hosting. #ArkanixStealer #ChromElevator
ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories
Cybersecurity is evolving with attackers blending into normal tech environments using sophisticated tactics like open-source tools, AI, and social engineering. The future of defense depends on increased awareness of these subtle and innovative threats. #Nezha #RokRAT…
The Artemis campaign is a sophisticated cyber-espionage effort by North Korea-linked APT37, targeting individuals by posing as media personnel and delivering malicious HWP files. The operation employs advanced evasion techniques, including legitimate process masquerading and multi-cloud infrastructure, to bypass detection. #APT37 #ArtemisCampaign…
Three related IIS-originated intrusions demonstrated a consistent attacker workflow: exploitation of web application flaws to run commands via w3wp.exe, attempts to deploy a Go-based agent (agent.exe/815.exe/test.exe), use of LOLBins (certutil) to fetch payloads, and attempts to establish persistence via a Windows service (dllhost.exe/WindowsUpdate) and RMM tooling (GotoHTTP). Huntress telemetry and Windows Event Logs reveal multiple failed attempts, Defender detections/quarantines, and the actor changing tactics across incidents—initially retrying tooling, then applying Defender exclusions—while reusing infrastructure such as 110.172.104.95 and several client IPs. #Warlock #GotoHTTP #SparkRAT #ShellcodeRunner #Velociraptor #Huntress
Socket’s Threat Research Team discovered two malicious Chrome extensions named Phantom Shuttle (幻影穿梭) that pose as paid multi-location network speed test/VPN tools while injecting hardcoded proxy credentials and routing targeted traffic through attacker-controlled proxies. The extensions perform continuous credential exfiltration and man-in-the-middle data capture via a 60-second heartbeat and proxy infrastructure at phantomshuttle.space using the credentials topfany/963852wei. #PhantomShuttle #phantomshuttle.space
SEQRITE Labs tracked Operation IconCat (UNG0801), a Western Asia–linked activity cluster that targeted Israeli organizations using Hebrew-themed phishing lures and consistent antivirus‑icon spoofing to increase trust. Two campaigns delivered distinct implants — a PyInstaller Python wiper (PYTRIC) via a Check Point‑themed PDF and a Rust espionage implant (RUSTRIC) via a SentinelOne‑themed spear‑phishing Word document — while relying on Dropbox/HTTP C2 infrastructure and AV enumeration. #PYTRIC #RUSTRIC
The Cyber Threat Landscape Report 2025 by Ensign InfoSecurity highlights the increasing sophistication and collaboration among ransomware groups, state-sponsored actors, and organised crime in the Asia Pacific region. It emphasizes emerging threats such as advanced ransomware evasion techniques, hacktivist evolutions, and targeted attacks on business professional services. #LockBit #DragonForce #EnsignInfoSecurity
APT37’s “Artemis” campaign uses social engineering to deliver malicious HWP documents that embed OLE objects and abuse Sysinternals utilities to perform DLL side-loading and deploy RoKRAT. The multi-stage attack leverages steganography, multi-layer XOR decryption, and cloud-based C2 (Yandex/pCloud) to evade signature-based detection and highlights the need for EDR-driven behavior monitoring. #APT37 #RoKRAT