Threat Research | Weekly Recap [02 Nov 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. A wide range of topics cover Tor-based SSH backdoors, supply-chain and dev-tooling compromises, cloud abuse and credential theft, active vulnerabilities and exploits, diverse malware families and ransomware trends, phishing and mobile propagation, botnets and anonymized infrastructure, APTs and regional campaigns, detection frameworks and risk management, and a large leak exposing Great Firewall internals.

Tor-based SSH / anonymized backdoors

Multi-stage spearphish delivered a Tor/obfs4-backed SSH/RDP backdoor with pre-generated RSA keys and OpenSSH for Windows — similar TTPs to Sandworm. Weaponized military ZIP → Tor + SSH backdoor
Targeted campaign using LNK→PowerShell to deploy OpenSSH + Tor (obfs4), register victims to onion addresses and expose local services via hidden SSH/SFTP. Operation SkyCloak → Tor-based SSH exposé

Supply-chain & developer-tooling compromises

Q3 snapshot: surge in supply-chain and dev-tooling attacks — npm account takeovers, malicious VS Code extensions, AI-assisted malware, and long-lived cloud credential risks. Datadog Q3 roundup → npm & dev-tool risks
Self-replicating npm worm Shai‑Hulud injected token‑stealing postinstall scripts to exfiltrate GitHub/NPM/cloud tokens and propagate across packages. Shai‑Hulud worm → npm self-replicator
10 typosquatted npm packages used multi-stage postinstall hooks and a large PyInstaller payload to harvest credentials and exfiltrate to C2. Typosquat npm packages → credential harvester
Malicious VS Code extensions (11+) stole source code, mined crypto and provided backdoors; deceptive staging and cross-marketplace republication amplified impact. TigerJack VS Code campaign → malicious extensions
Post-incident lessons and CI/CD mitigations: rotate tokens, harden GitHub Actions, use supply-chain firewalls and tooling like GuardDog. Learnings from npm compromises → mitigations

Cloud abuse, credential theft & detection

Attackers used stolen AWS creds and TruffleNet automation (TruffleHog + API probing) to find valid accounts, create verified email identities and run BEC campaigns (notable domain: cfp-impactaction[.]com). Cloud Abuse at Scale → TruffleNet
Flaw in CloudTrail Network Activity could leak AWS Account IDs via VPC endpoint deny policies; AWS issued a redaction fix after disclosure. VPC endpoint → CloudTrail S3 account leak
Defender guidance: prioritize privileged-account monitoring (PAM, PAWs, MFA, secrets management, session telemetry) and practiced credential rotation to reduce blast radius. Keys to the Kingdom → privileged account monitoring
Digital Risk Management and continuous third‑party/cloud/SaaS monitoring to protect brand, supply chains and integrations. Digital risk management → DRM strategies
Wiz case: continuous cloud posture + AI tooling can automate SOC 2 workflows and speed compliance evidence collection. Wiz on SOC 2 → continuous cloud security

Vulnerabilities & active exploitation

Unauthenticated deserialization RCE in WSUS (CVE-2025-59287) was actively exploited against exposed WSUS instances (ports 8530/8531); Microsoft issued emergency fix and CISA KEV listing. WSUS CVE-2025-59287 → active exploitation
Zero-day exploitation of Motex LANSCOPE (CVE-2025-61932) gave SYSTEM RCE to BRONZE BUTLER, enabling backdoors (Gokcpdoor/Havoc) and data theft—patch and review internet-facing instances. BRONZE BUTLER → LANSCOPE zero-day
Active exploitation of Apache ActiveMQ deserialization (CVE-2023-46604) to deploy Kinsing/Sharpire, miners and Cobalt Strike via manipulated OpenWire payloads. ActiveMQ → Kinsing / Sharpire
Operation ForumTroll used a Chrome sandbox escape (CVE-2025-2783) to deliver loaders and spyware (LeetAgent, Dante) with Fastly-hosted C2s and advanced persistence. ForumTroll → Chrome zero-day

Malware, RATs & post‑exploitation frameworks

Atroposia: modular RAT offering hidden RDP, encrypted C2, wallet theft, DNS hijack and local vuln scanning—marketed alongside turnkey criminal toolkits. Atroposia RAT → feature-rich RAT
Open-source AdaptixC2 abused widely in ransomware campaigns; researchers trace ties to Russian criminal forums and loader usage (CountLoader). AdaptixC2 analysis → open-source C2 abuse
Four related Discord-based RATs (UwUdisRAT, STD RAT, Minecraft RAT, Propionanilide RAT) share a C++ core, Discord tokens and a custom packer (Proplock). Discord RAT family → STD Group
New Windows malware family Airstalk abused AirWatch MDM API as covert C2 to exfiltrate browser artifacts; signed .NET samples with likely stolen certs observed. Airstalk → MDM-based C2
DPRK actors: Kimsuky deployed obfuscated HttpTroy backdoor; Lazarus circulated upgraded BLINDINGCAN with stronger crypto and evasive persistence. DPRK campaigns → HttpTroy & BLINDINGCAN
Surge in fileless Remcos infostealer via obfuscated PowerShell and msiexec process hollowing to harvest browser credentials. Fileless Remcos → infostealer surge
Rhadamanthys infostealer distributed via Ren’Py game bundles that load malicious packages and inject into .NET processes. Rhadamanthys via Ren’Py → game-distributed infostealer
Modular Android family GhostGrab combines Monero mining, banking theft and SMS/OTP interception using Firebase for C2. GhostGrab Android → banking + miner
Maverick banking trojan spread via WhatsApp ZIP→LNK chain, using fileless .NET + Donut shellcode and WPPConnect-based propagation. Maverick banker → WhatsApp distribution

Ransomware & leak-site activity

Beast ransomware (evolved from Monster) operates as RaaS with SMB scans, country-based filters, ChaCha20 hybrid encryption and Tor leak sites; multiple victims disclosed. Beast ransomware → RaaS escalation
Qilin continues high-volume leak-site postings and dual-encryptor deployments, targeting manufacturing and professional services; artifacts show credential theft tooling. Qilin attacks → leak‑site extortion
October overview: phishing via legitimate cloud services (Figma, ClickUp), layered CAPTCHAs/redirects, and new toolsets like LockBit 5.0 and TyKit expanding impact to M365, ESXi and Linux. October cyber attacks → phishing & ransomware trends
Guidance: proactive, entity‑centric threat intelligence and automated remediation lower ransomware risk. How to prevent ransomware → preventive intelligence

Messaging, mobile propagation & phishing

Evolved WhatsApp campaign (Water Saci) used WhatsApp Web to deliver ZIPs with VBS→fileless PowerShell that hijacks browsers, harvests contacts and self‑propagates via multi-channel C2. Active Water Saci → WhatsApp propagation
Smishing campaign impersonated Autostrade per l’Italia via SMS directing victims to typosquatted payment pages on autostiade[.]com. Autostrade smishing → SMS fraud
AI website builders (VibeScams) are producing convincing, mass phishing/scam sites; researchers blocked ~140k AI-generated malicious sites through Aug 2025. VibeScams → AI-driven phishing sites
SVG image attachments used in phishing to deliver Amatera stealer and PureMiner DNS tooling; defenders identified 26 IoCs and domain/IP patterns for early detection. SVG phishing → Amatera & PureMiner
BlueNoroff targeted Web3 via social-engineering (GhostCall/GhostHire) delivering multi-stage implants (DownTroy, ZoomClutch, CosmicDoor) and reusing victim recordings. BlueNoroff campaigns → Web3-targeted social engineering

Botnets, anonymized infrastructure & monitoring

Researchers uncovered PolarEdge’s previously undocumented RPX_Client IoT relay that onboards compromised devices into a proxy pool (~25k infected devices across 40 countries) and a 140-node VPS server network. PolarEdge RPX_Client → IoT proxy network
Guide to ingesting TOR exit-node data into Elastic for detection of anonymized reconnaissance, C2 and exfiltration. TOR exit-node monitoring → detection guide

APTs, intrusions & regional campaigns

APT‑C‑60 escalated SpyGlace campaigns vs Japan with evolved backdoors, refined VHDX delivery and stealthy use of GitHub/StatCounter for distribution. APT‑C‑60 SpyGlace → targeted espionage
Russian-linked intrusions against Ukrainian organizations used Localolive webshells, LOTL tooling and credential harvesting for prolonged access. Ukraine-targeted ops → Localolive
Darktrace analysis of a recent intrusion attributed to a cluster dubbed Salt Typhoon highlighting behavioral detection telemetry. Salty Much → intrusion view

Detection frameworks, SOC & risk management

MITRE ATT&CK v18 replaces legacy Detections/Data Sources with behavior-driven Detection Strategies + Analytics, improving telemetry mapping and cross-tactic correlation. MITRE ATT&CK v18 → detection model update
LogPoint guidance for comprehensive ransomware detection tailored to UK public healthcare environments. Ransomware detection → UK healthcare guide
Recorded Future: proactive, entity-centric threat intel and automation for faster ransomware remediation and prevention. Recorded Future → ransomware prevention
Discussion on Agentic AI reshaping detection and response, enabling autonomous triage and action with human oversight. Agentic AI → AI-driven defense

Leaks, exposures & digital‑risk signals

Massive leak (≈500–600 GB) of China’s censorship/Great Firewall internal data including source code, PCAPs and configs, exposing heuristics for Psiphon, V2Ray, Shadowsocks and vendor/ISP links. Great Firewall dump → censorship infra leak

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print