SEQRITE Labs tracked Operation IconCat (UNG0801), a Western Asia–linked activity cluster that targeted Israeli organizations using Hebrew-themed phishing lures and consistent antivirus‑icon spoofing to increase trust. Two campaigns delivered distinct implants — a PyInstaller Python wiper (PYTRIC) via a Check Point‑themed PDF and a Rust espionage implant (RUSTRIC) via a SentinelOne‑themed spear‑phishing Word document — while relying on Dropbox/HTTP C2 infrastructure and AV enumeration. #PYTRIC #RUSTRIC
Tag: INITIAL ACCESS
The Cyber Threat Landscape Report 2025 by Ensign InfoSecurity highlights the increasing sophistication and collaboration among ransomware groups, state-sponsored actors, and organised crime in the Asia Pacific region. It emphasizes emerging threats such as advanced ransomware evasion techniques, hacktivist evolutions, and targeted attacks on business professional services. #LockBit #DragonForce #EnsignInfoSecurity
APT37’s “Artemis” campaign uses social engineering to deliver malicious HWP documents that embed OLE objects and abuse Sysinternals utilities to perform DLL side-loading and deploy RoKRAT. The multi-stage attack leverages steganography, multi-layer XOR decryption, and cloud-based C2 (Yandex/pCloud) to evade signature-based detection and highlights the need for EDR-driven behavior monitoring. #APT37 #RoKRAT
FortiGuard Labs and PolySwarm analyzed UDPGangster, a UDP-based backdoor tied to the MuddyWater threat actor that targets users in Turkey, Israel, and Azerbaijan via phishing emails containing macro-enabled Word documents. The malware uses UDP C2 on port 1269, extensive anti-analysis checks, persistence via AppData and registry run keys, and supports commands for remote execution, file exfiltration, payload deployment, and C2 updates. #UDPGangster #MuddyWater
ClickFix pages hosted via compromised legitimate websites were used to trick victims into downloading and executing a batch file that installed NetSupport Manager (NetSupport RAT), which contacted a C2 server and delivered a sideloaded malicious DLL that executed StealC V2. Stolen credentials harvested by StealC were then leveraged to access a Fortinet VPN and ultimately enable Qilin ransomware deployment. #StealC #Qilin
The 2025 Ransomware Report highlights the increasing complexity of ransomware threats, emphasizing the integration of AI and multi-extortion tactics by groups like FunkSec, CL0P, and LockBit. It also details the rise of ransomware-as-a-service (RaaS) models, growing hacktivist involvement, and the weaponization of regulatory compliance to pressure victims. #FunkSec #CL0P #LockBit #RansomHub #TrickBot #Anubis
CYFIRMA analyzed a targeted APT-36 campaign that used a malicious Windows shortcut masquerading as a government advisory PDF to retrieve an MSI installer which deployed a .NET loader, malicious DLLs (including wininet.dll), dropped a decoy PDF, and established registry-run persistence via an HTA. Although the C2 domain wmiprovider[.]com was inactive during analysis, the loader contains obfuscated HTTP endpoints that enable remote command execution and long-term access. #APT36 #NCERT_Whatsapp_Advisory
Zscaler Threat Hunting uncovered a targeted espionage campaign impersonating the Income Tax Department of India that uses URL shorteners and public file hosting to deliver a DLL side-loading implant linked to SideWinder activity. The campaign leverages signed Microsoft binaries (SenseCE.exe) to load a malicious MpGear.dll, performs timezone-based geofencing for India (UTC+5:30), and communicates with C2 servers to deploy a resident agent. #SideWinder #SenseCE
CRIL identified a commodity loader used by multiple threat actors in targeted email campaigns that primarily impacted Manufacturing and Government organizations in Italy, Finland, and Saudi Arabia. The multi-stage, fileless infection chain uses weaponized Office documents (CVE-2017-11882), steganographic PNGs hosted on Archive.org, trojanized TaskScheduler assemblies, reflective loading and process hollowing to deliver payloads such as PureLog Stealer to a C2 at 38.49.210[.]241. #PureLogStealer #TaskScheduler
ESET Research uncovered a new China-aligned threat group, LongNosedGoblin, exploiting Windows Group Policy for malware deployment and lateral movement in government networks. The group uses cloud services like OneDrive and Google Drive for command and control, deploying sophisticated surveillance tools to conduct long-term espionage. #LongNosedGoblin #GroupPolicy #EspionageTools…
Cloud Atlas continues to target organizations in Russia and Belarus using phishing emails that exploit CVE-2018-0802 in Microsoft Office to deliver an HTA which installs a chain of VBScript- and PowerShell-based backdoors (VBShower, VBCloud, PowerShower) and the CloudAtlas implant. The group uses DLL hijacking with legitimate VLC as a loader, cloud services (WebDAV) for C2 and payload distribution, and plugins for file theft and credential/cookie extraction. #CloudAtlas #VBShower
A new China-linked threat group called LongNosedGoblin has been targeting government agencies in Southeast Asia and Japan for cyber espionage since September 2023. The group employs advanced tools and techniques, including Group Policy, cloud services, and custom malware, to infiltrate and spy on victims. #LongNosedGoblin #CyberEspionage…
CYFIRMA analyzed a targeted “quishing” campaign that uses payroll-themed emails with embedded QR codes to redirect victims to obfuscated, per-target phishing pages that auto-fill email addresses and harvest passwords. The campaign relied on randomized domains, encrypted JavaScript, fake CAPTCHA interactions, and rotating collection endpoints to evade detection and complicate forensics. #quishing #CYFIRMA
ClickFix social-engineering pages on compromised websites led victims to download and run a batch that installed NetSupport Manager (NetSupport RAT), which connected to a C2 and delivered a sideloaded StealC V2 infostealer. Stolen credentials harvested by StealC appear to have been used to access a Fortinet VPN and enable a subsequent Qilin ransomware deployment. #StealC_V2 #Qilin
Threat actors linked to North Korea caused a record-breaking $2.02 billion in cryptocurrency thefts in 2025, primarily through high-profile attacks like the Bybit hack. Their operations include sophisticated money laundering schemes and infiltration of IT workers globally to fund North Korea’s regime. #LazarusGroup #BybitHack…