SEQRITE APT-Team identified “Operation Hanoi Thief,” a spear‑phishing campaign using fake resumes and a pseudo‑polyglot document to deliver a multi‑stage infection chain targeting Vietnamese IT and recruitment professionals. The campaign abuses trusted Windows binaries (ftp.exe, DeviceCredentialDeployment.exe, ctfmon.exe) to decode and sideload a DLL implant named LOTUSHARVEST that steals browser credentials and exfiltrates them to attacker-controlled endpoints. #LOTUSHARVEST #OperationHanoiThief
Tag: EDR
The Lazarus Group deployed a new C++ in-memory RAT called ScoringMathTea in the “Gotta Fly” phase of Operation DreamJob to target defense contractors supplying UAV technology to Ukraine. ScoringMathTea uses chained polyalphabetic string decryption, API hashing, PEB walking, full reflective DLL injection of plugins, and TEA/XTEA-CBC encrypted HTTP/S C2 with spoofed User-Agent to evade detection #ScoringMathTea #LazarusGroup
A Kimsuky campaign delivered an obfuscated Windows Script Host JScript dropper inside an ALZ-compressed email attachment named “건강검진 안내서.alz” that displays a fake PDF while dropping and executing a DLL via rundll32. The malware uses multi-stage Base64 decoding (certutil/PowerShell), stores payloads under C:ProgramData, communicates with C2 at load.samework.o-r.kr using AES-CBC-encrypted POST bodies and a decrypted Chrome 79 user-agent, and achieves persistence via regsvr32 scheduled execution. #Kimsuky #NationalHealthInsurance
Kimsuky and Lazarus operate as a coordinated pair — Kimsuky conducts precise espionage via academic-themed spearphishing to collect network maps and credentials, while Lazarus exploits zero-day vulnerabilities to escalate privileges and steal cryptocurrency. The collaboration uses shared C2 infrastructure, bespoke backdoors (e.g., FPSpy, InvisibleFerret) and evasive techniques to exfiltrate intelligence and millions in crypto with minimal detection. #Kimsuky #Lazarus
Microsoft is set to strengthen Entra ID’s security by enforcing a stricter Content Security Policy to prevent external script injection during user sign-ins starting in October 2026. This update aims to mitigate risks like cross-site scripting attacks, safeguarding organizational authentication processes. #EntraID #ContentSecurityPolicy
Automated Security Validation (ASV) continuously simulates real-world attacker tactics to validate whether flagged vulnerabilities are actually exploitable in an organization’s specific environment and to measure control effectiveness in real time. Adversarial Exposure Validation technologies—Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT)—help reduce remediation backlogs, speed up MTTR, and provide continuous compliance and remediation validation with platforms such as Picus Security. #Log4j #PicusSecurity
Xillen Stealer is a Python-based cross-platform information stealer whose v4 and v5 updates expand capabilities to harvest credentials, browser data from 100+ browsers, cryptocurrency from 70+ wallets, container and cloud configurations, and biometric/TOTP data while adding persistence, polymorphism, and P2P C2 features. The malware is marketed via Telegram by a group calling itself Xillen Killers and has public GitHub activity and sample hashes published in the appendices. #XillenStealer #XillenKillers
The 2025 holiday season shows a sharp rise in malicious, holiday-themed and e-commerce spoof domains, massive volumes of stealer-log credentials, and active exploitation of critical vulnerabilities across Magento, Oracle EBS, and WooCommerce. Organizations face industrialized, automated attacker services—AI-driven brute force, instant phishing hosting, and marketplace commoditization—that enable large-scale credential abuse and payment skimming. #Magento #WooCommerce
Berserk Bear is an FSB-linked espionage group active since at least 2010 that conducts long-running, stealthy intrusions against critical infrastructure, especially energy, telecom, aviation, and state/local networks. Their campaigns reuse legitimate admin tools, trojanize vendor software, and exploit router vulnerabilities (notably CVE-2018-0171) while deploying implants such as Havex to maintain persistent access. #BerserkBear #Havex
A memory flaw in Firefox’s WebAssembly implementation remained hidden for six months, affecting over 180 million users and risking arbitrary code execution. This incident highlights the importance of AI-driven security research and continuous patch management for safeguarding modern browsers. #Firefox #WebAssembly #MemorySafety…
Jamf Threat Labs analyzed a new macOS infostealer family named DigitStealer that uses unsigned disk images, multi-stage in-memory payloads, AppleScript/JXA, and hardware-based sysctl checks to target Apple Silicon M2+ systems and evade detection. The campaign modifies Ledger Live to redirect endpoints, exfiltrates credentials and files to attacker-controlled domains (notably goldenticketsshop[.]com), and…
Multiple popular npm scopes (including @zapier, @asyncapi, @postman, @posthog and @ensdomains) were compromised via account takeover and developer compromise to inject a stealthy two-stage loader (setup_bun.js → bun_environment.js) that installs or locates the Bun runtime and runs an obfuscated 10MB payload in the background while suppressing all output. The malicious code harvests CI and cloud credentials (GITHUB_TOKEN, NPM_TOKEN, AWS keys), performs aggressive multi-region cloud secret enumeration, propagates by using stolen NPM tokens to republish packages, and includes destructive file-shredding if no valid tokens are found. #Sha1-Hulud #Bun
EDR-Redir V2 demonstrates a technique to redirect a security software’s operating folder by creating a bind-link loop between Program Files and a controlled TEMPDIR, enabling DLL hijacking to activate in place of the EDR. The experiment, using Windows Defender on Windows 11, shows that protecting parent folders, rather than just the…
Google’s Threat Intelligence Group (GTIG) uncovered a sophisticated cyber-espionage campaign by APT24, primarily targeting organizations in Taiwan through the BADAUDIO downloader. The campaign spans over three years and involves complex delivery methods including web compromises, supply chain attacks, and spear-phishing, demonstrating high-level technical obfuscation and strategic planning. #APT24 #BADAUDIO…
![Threat Research | Weekly Recap [23 Nov 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [23 Nov 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap highlights a broad spectrum of activity, from APT and state-backed espionage campaigns to email, banking malware, ransomware, phishing, and supply-chain abuse, along with updates on detection and defensive tooling. Key actors and families mentioned include APT35, APT24, ToddyCat, MuddyWater, UNC1549, Curly COMrades, Kimsuky, NotDoor, WaterSaci, Astaroth, Eternidade, Sarcoma, Lynx, Akira, The Gentlemen, Tycoon2FA, Tsundere, PlushDaemon, NKNShell, TamperedChef, and related C2 and advancement trends.
#APT35 #APT24 #ToddyCat #MuddyWater #UNC1549 #CurlyCOMrades #Kimsuky #NotDoor #WaterSaci #Astaroth #Eternidade #Sarcoma #Lynx #Akira #TheGentlemen #Tycoon2FA #Tsundere #PlushDaemon #NKNShell #TamperedChef