CrazyHunter is a Go-based ransomware forked from the Prince builder that targets Windows environments—primarily healthcare organizations in Taiwan—using GPO abuse, BYOVD with a vulnerable Zemana driver, memory loaders, and multiple AV-killing components to rapidly propagate and evade defenses. The Trellix analysis details the full attack lifecycle, technical artifacts (including go.exe/go2.exe/go3.exe, bb.exe, crazyhunter.sys), mitigation recommendations, and IOCs for detection and response. #CrazyHunter #SharpGPOAbuse
Tag: EDR
The FBI warns about North Korean APT group Kimsuky using spear-phishing with malicious QR codes, known as quishing, to target government and research organizations. This method bypasses security controls, stealing data and hijacking cloud accounts, making it a high-threat vector in enterprise environments. #Kimsuky #quishing…
Astaroth’s latest campaign uses WhatsApp Web to harvest contacts and automatically send malicious ZIP archives, enabling rapid worm-like propagation while maintaining a Delphi-based banking payload for credential theft. The operation bundles an MSI installer and a Python-based spreader (zapbiu.py) that exfiltrates contact lists and monitors browsing to steal banking credentials. #Astaroth #WhatsApp
The FBI warns that North Korean hacker group Kimsuky is using malicious QR codes in spearphishing campaigns targeting U.S. organizations involved in North Korea-related policy and research. These attacks often bypass traditional security measures and can hijack cloud identities by stealing session tokens. #Kimsuky #quishing
CloudSEK TRIAD uncovered a MuddyWater spearphishing campaign that used icon‑spoofed Word documents to deploy a Rust-based implant (referred to as RustyWater) against diplomatic, maritime, financial, and telecom targets in the Middle East. The implant is delivered via VBA macros that drop a hex‑encoded PE (reddit.exe / CertificationKit.ini) and provides asynchronous HTTP C2, registry persistence, anti-analysis, process injection, and modular post-compromise capability. #MuddyWater #RustyWater
Chainguard’s latest report highlights how modern organizations rely heavily on open source software, especially in AI stacks, and face significant security risks in less-visible longtail images. The majority of vulnerabilities and CVEs are concentrated outside the most popular projects, emphasizing the importance of comprehensive remediation. #Chainguard #OpenSourceSupplyChain…
Huntress observed a rise in rogue ScreenConnect installations in 2025, with threat actors using social engineering lures (invoices, invitations, Social Security statements) to get victims to download renamed ScreenConnect clients. Attackers abused domains and dynamic DNS services to host installers and C2, and Huntress recommends auditing RMMs, reviewing logs, and using domain reputation/callback analysis to detect malicious instances. #ScreenConnect #Huntress
Recorded Future’s Insikt Group tracked BlueDelta credential-harvesting campaigns from February to September 2025 that impersonated Microsoft OWA, Google, and Sophos VPN portals and abused free hosting and tunneling services to capture and exfiltrate credentials. The campaigns targeted researchers and policy-linked organizations—using legitimate PDF lures, customized JavaScript for input capture and redirection to real sites to reduce detection and suspicion. #BlueDelta #MicrosoftOWA
Cephalus ransomware surfaced in mid‑August 2025, targets Windows endpoints via exposed RDP accounts lacking MFA, and performs stealthy local encryption, data exfiltration, and Volume Shadow Copy deletion to hinder recovery. The article demonstrates detection and automated response using Wazuh (Sysmon integration, custom detection rules, File Integrity Monitoring, YARA rules, and Active…
Generative AI platforms like Amazon Bedrock and SageMaker accelerate agent and model deployment but create new security blind spots around visibility, access control, and unintended data exposure. Darktrace / CLOUD provides continuous configuration visibility, architectural mapping, privilege and misconfiguration analysis, and behavioral anomaly detection to reduce risk and prevent accidental or unauthorized data exposures. #AmazonBedrock #Darktrace
Researchers discovered exposed Sliver C2 databases and logs in open directories, linking a threat actor that exploited multiple FortiWeb appliances and used React2Shell (CVE-2025-55182) to deploy Sliver and FRP to expose local services. Analysis shows Sliver implants, C2 domains, FRP and a renamed microsocks proxy (cups-lpd) persisted via systemd/supervisord on outdated FortiWeb devices, highlighting a major visibility blindspot. #Sliver #FortiWeb
The ransomware ecosystem in 2025 fragmented rather than collapsed: affiliates became more independent, groups blurred their boundaries, and operators shifted toward identity abuse, supply-chain compromise, and data-first extortion. Long dwell times, widespread exploitation of enterprise software, and high victim impact (with Fortinet reporting 73% of organizations hit and low full-recovery rates) show the threat evolved into quieter, more targeted campaigns. #ScatteredLapsusHunters #OracleEBS
A threat actor named Zestix, also known as Sentap, exploits infected employee devices and weak security practices to access and sell corporate cloud credentials. This campaign highlights the importance of enforcing Multi-Factor Authentication and monitoring for compromised credentials in preventing data breaches. #Zestix #Sentap #Infostealer #ShareFile #Nextcloud
![Threat Research | Weekly Recap [04 Jan 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [04 Jan 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: This edition highlights information stealers and browser-extension abuse, including the VVS stealer, the EmEditor supply-chain incident with a Google Drive Caching extension, and the widespread ShadyPanda extension campaign affecting millions of users. It also covers APT activity and targeted intrusions (ToneShell and HoneyMyte kernel rootkit), Indian government‑focused LNK/HTA loaders and campaigns (APT36), Lazarus and Kimsuky shared infrastructure, RondoDoX botnet evolution with React2Shell, and ongoing tooling updates from Validin.
#VVSstealer #GoogleDriveCaching #ShadyPanda #ToneShell #HoneyMyte #APT36 #Lazarus #Kimsuky #RondoDoX #React2Shell #Validin #EmEditor #avocadomechanism #potherbreference
The Cato Networks 2025 Threat Report highlights the company’s comprehensive SASE platform that integrates network transformation, security, and cloud optimization to address evolving cybersecurity challenges. Key features include intelligent threat prevention, incident lifecycle management, and seamless cloud connectivity using AI-driven analytics. #CatoNetworks #SASE #SDWAN