Amazon’s Threat Intelligence team has identified and disrupted operations linked to Russian GRU hackers targeting cloud infrastructure, especially in Western critical sectors like energy. The threat actors shifted from exploiting vulnerabilities to focusing on misconfigured devices, aiming for persistent access and credential theft. #GRU #Sandworm #AWSecurity #Cyberespionage
Tag: INITIAL ACCESS
Amazon’s threat intelligence has revealed a prolonged Russian state-sponsored campaign targeting Western critical infrastructure from 2021 to 2025. The campaign primarily exploited misconfigured network edge devices and leveraged vulnerabilities to harvest credentials and gain persistent access, with connections to GRU-linked groups like APT44 and Sandworm. #GRU #APT44…
An ongoing cyberattack targets AWS customers by exploiting compromised IAM credentials to deploy cryptocurrency mining operations, utilizing sophisticated persistence techniques. Amazon warns users to enhance their security measures to prevent further damage and unauthorized resource consumption. #IAMCredentials #CryptoMining…
Russian government hackers, specifically the group APT44, are increasingly targeting Western energy sectors by exploiting misconfigured network edge devices rather than vulnerabilities in software. These attacks demonstrate a strategic shift towards passive data collection and credential harvesting, emphasizing the importance of proper device configuration in cybersecurity defenses. #APT44 #Sandworm #RussianCyberThreats #CriticalInfrastructure…
A ransomware attack on Japanese company Askul resulted in the theft of over 700,000 records, disrupting orders and logistics. The RansomHouse group claimed responsibility, leaking stolen data after the company refused to pay the ransom. #RansomHouse #Askul #DataBreach…
SentinelLABS assesses that LLMs are accelerating the ransomware lifecycle by increasing speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation, while not producing a fundamental change in attacker tactics or novel capabilities. Adversaries are migrating toward selfâhosted, open models (e.g., Ollama) and proofâofâconcept tools such as Claude Code, PromptLock, MalTerminal, and QUIETVAULT to evade provider guardrails and automate extortion and data theft; #ClaudeCode #QUIETVAULT
AWS attributes a multi-year cyber espionage campaign targeting critical infrastructure to Russia-linked group Sandworm (APT44). The attackers exploit misconfigured customer devices to gain access, steal credentials, and maintain long-term persistence, emphasizing the importance of securing network edge devices. #Sandworm #APT44…
Sophos reviews its participation in the 2025 MITRE ATT&CK Enterprise Evaluations, which emulated two threat actor profilesâSCATTERED SPIDER (GOLD HARVEST) and MUSTANG PANDA (BRONZE PRESIDENT)âacross realistic end-to-end attack chains spanning on-premises and cloud environments. The report highlights specific TTPs used in the emulations (AiTM phishing and session cookie replay, SSO and IAM abuse, DLL sideloading and process injection, VSCode tunnels, wstunnel, AirByte, S3/FTP exfiltration) and shows where Sophos XDR detected activity and where scenarios deviated from public reporting. #SCATTERED_SPIDER #MUSTANG_PANDA #AirByte #PlugX #wstunnel
CVE-2025-55182 (React2Shell) is a critical preâauthentication RCE in React Server Components and Next.js that allows attackers to execute arbitrary code on vulnerable servers via a single malicious HTTP request. Microsoft observed exploitation activity beginning December 5, 2025 with realâworld attempts delivering payloads including cryptominers and RATs, impacting both Windows and Linux environments. #React2Shell #XMRig
In 2025, phishing attacks increasingly used omni-channel methods, bypassing traditional email filters by exploiting social media, search engines, and malvertising channels. Attackers also used advanced tools like Phishing-as-a-Service kits and sophisticated evasion techniques to evade detection and bypass security controls. #ScatteredLapsus$Hunters #Evilginx #PushSecurity
The NexusRoute campaign is a large-scale, professionally maintained Android malware and phishing operation that impersonates Indian Government services (mParivahan / e-Challan), distributes malicious APKs via GitHub repositories/GitHub Pages, and operates mass phishing domains to steal UPI, card, and banking credentials. Technical analysis shows a native-backed multi-stage RAT with dynamic code loading, SMS interception, persistence via BroadcastReceivers and foreground services, Socket.IO C2 at 154.61.80.242, and OSINT links to a commercial Android obfuscation/surveillance tooling ecosystem. #NexusRoute #mParivahan
![Threat Research | Weekly Recap [14 Dec 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [14 Dec 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap: A critical unauthenticated deserialization RCE in React Server Components (React2Shell, CVE-2025-55182) is being weaponized for mass scanning and arbitrary code execution, prompting patches and WAF/runtime protections while defenders hunt for indicators (MINOCAT, SNOWLIGHT, HISONIC, XMRig). A broad surge of activity across loaders, backdoors, info stealers, phishing, ransomware, and APTsâfeaturing EtherRAT, GhostPenguin, NANOREMOTE, CastleRAT, ValleyRAT, GrayBravo, AshTag, AshenLepus, Group123, APT31, Salt Typhoon, GOLD_SALEM, Warlock, Makop, 01flip, Storm-0249, and othersâunderscores supply-chain abuse, credential theft, and geopolitical intrusions.
#React2Shell #CVE-2025-55182 #MINOCAT #SNOWLIGHT #HISONIC #XMRig #EtherRAT #GhostPenguin #NANOREMOTE #CastleRAT #ValleyRAT #GrayBravo #AshTag #AshenLepus #Group123 #APT31 #SaltTyphoon #GOLD_SALEM #Warlock #Makop #01flip #Storm_0249 #FrostBeacon #Shai_Hulud_2_0 #NexusRoute #RTO_Challan #DroidLock #PhantomStealer #AMOSStealer #Banshee #LummaStealer #JSCEAL #NoteGPT #MoneyMount #VSCodeExtensions
Wiz Research discovered an actively exploited zero-day in Gogs (CVE-2025-8110) that leverages symbolic link bypass of a previous patch to overwrite files outside repositories via the PutContents API, resulting in remote code execution across hundreds of internet-exposed instances. The campaign deployed a Supershell-based Go payload (UPX-packed and garbled) and used open-registration to create repositories with random 8-character names; a patch is not yet available. #CVE-2025-8110 #Supershell
The 2024 Global Cyber Threat Intelligence Report highlights ransomware as the top threat vector, with emerging groups like RansomHub dominating the scene using ransomware-as-a-service (RaaS) models. Nation-state actors such as APT29 continue advanced cyber-espionage activities, while social engineering and AI-enhanced phishing attacks increasingly threaten organizations worldwide. #RansomHub #APT29 #CyberVolk
JSCEAL, an information stealer targeting cryptocurrency application users, evolved in August 2025 to adopt a hardened C2 architecture with single-word domains, standardized .faro and .api subdomains, strict UserâAgent filtering and staged PDF gating to increase stealth. Cato observed the active campaign, noted a refactored PowerShell loader and modified build.zip stages, and reports that the Cato SASE Cloud Platform blocks JSCEAL C2 communication and prevents payload execution #JSCEAL #CatoSASE