Threat Research | Weekly Recap [03 Aug 2025]

This weekly recap highlights significant developments in ransomware, malware, and threat actor tactics, including the propagation of Linux variants and credential theft tools. It underscores emerging vulnerabilities in supply chain software and sophisticated espionage campaigns linked to state actors. #QilinRansomware #LockBit #ShadowCoil #Gunra #ScatteredSpider #ToolShellZeroDay #Hafnium #TraderTraitor

Ransomware and Malware Operations

Qilin Ransomware: Investigation of the Qilin RaaS affiliate “hastalamuerte” reveals use of Mimikatz, NetExec, obfuscation, and cryptocurrency APIs in Windows-targeted attacks. Inside Qilin Ransomware Affiliate’s Panel – The Raven File
LockBit Tactics: LockBit ransomware employs DLL sideloading and masquerading for stealthy payload execution and persistence. Unmasking LockBit: DLL Sideloading and Masquerading
ShadowCoil Credential Stealer: Ex-RansomHub affiliate ShadowCoil uses SocGholish and a new Python stealer targeting Chrome and Edge browsers. Detection and mitigation guidance included. Unpacking ShadowCoil’s Credential Harvesting Tool
Gunra Linux Ransomware Variant: Gunra expands to Linux with a high-performance variant enabling parallel and partial encryption for cross-industry impact. Gunra Ransomware Group Unveils Efficient Linux Variant
Scattered Spider Group: This cybercriminal group targets enterprises with social engineering, malware (DragonForce ransomware), and RATs like Ratty and Raccoon Stealer. Scattered Spider – Evolving Tactics and Mitigations
Storm-2603’s Ransomware Campaigns: Chinese-linked actor exploits ToolShell SharePoint vulnerabilities using custom framework ak47c2 to deploy LockBit Black and Warlock variants. Before ToolShell: Storm-2603 Ransomware Operations
Cobalt Strike via Social Media: Attackers deploy Cobalt Strike Beacon using DLL hijacking and malicious profiles on GitHub, Quora, and Microsoft Learn targeting Russian and global targets. Cobalt Strike Beacon Delivered via GitHub and Social Media
VIP Keylogger Spear Phishing: Recent campaigns use AutoIt injection in malicious ZIP email attachments to deploy keystroke logging and credential theft malware. Spear Phishing Campaign Delivers VIP Keylogger

Supply Chain and Software Vulnerabilities

SharePoint ToolShell Zero-Day: Critical Microsoft SharePoint vulnerabilities (CVE-2025-53770 and others) are actively exploited by China-based groups Linen and Violet Typhoon, deploying web shells and stealing credentials. Response to CISA Alert on SharePoint Exploits | ToolShell Zero Day in SharePoint
NestJS Devtools RCE: Critical localhost remote code execution found in @nestjs/devtools integration due to sandbox escape and weak CORS/content-type checks. Critical Vulnerability in NestJS Devtools
Scavenger Supply Chain Compromise: eslint-config-prettier NPM package was compromised to distribute Scavenger Loader malware with advanced evasion and stealer modules. Scavenger Malware via NPM Package Supply Chain
WordPress Backdoor Plugin: “wp-compat” plugin creates hidden admin accounts with strong evasion to maintain persistent access unnoticed. Unauthorized Admin via Disguised WordPress Plugin

Espionage and State-Sponsored Threats

Secret Blizzard AiTM Campaign: Russian state actor uses adversary-in-the-middle attacks at Moscow ISPs deploying ApolloShadow malware to intercept embassy traffic. Frozen in Transit: Secret Blizzard’s AiTM Campaign
DPRK IT Workers Infiltration: North Korea’s Reconnaissance General Bureau embeds operatives in global remote IT work with complex laundering schemes to fund cyber espionage and infrastructure access. From Laptops to Laundromats: DPRK Infiltration
TraderTraitor Crypto Heists: North Korean Lazarus-linked group targets blockchain ecosystems through social engineering and cloud attacks, responsible for multi-billion dollar crypto breaches. TraderTraitor: North Korean Crypto Threat
UNC3886 APT Tactics: This group targets critical infrastructure with zero-days and stealthy malware including Linux rootkits and living-off-the-land techniques. Revisiting UNC3886 Tactics
Interlock Group Malware Arsenal: Multi-stage ransomware operations leverage PHP backdoors, PowerShell, and LOLBins for evasion and persistence. Detailed Python detection scripts provided. Unmasking Interlock Group’s Malware
Hafnium-Linked Forensics Tools: SentinelLABS exposes advanced forensic and encrypted data collection tech tied to Chinese government-affiliated companies connected with Hafnium activity. China’s Covert Capabilities: Silk Spun from Hafnium
Global Telecom Network Infiltration: Unit 42 tracks CL-STA-0969—a nation-state cluster using stealthy backdoors and implants in Southwest Asian telecom infrastructure. The Covert Operator’s Playbook

Information Stealers and Infostealer-as-a-Service

Lumma Stealer via Fake Telegram Site: Fake Telegram Premium website distributes Lumma Stealer variant targeting browser credentials and crypto wallets with drive-by downloads. Fake Telegram Premium Site Distributes Lumma Stealer
AppleProcessHub macOS Stealer: Multi-stage macOS infostealer captures keychain, shell history, SSH credentials, and runs AES-decrypted scripts for ongoing exfiltration. Dissecting the macOS AppleProcessHub Stealer
PasivRobber macOS Spyware: macOS malware targets Chinese apps with modular spyware features linked to military-associated groups, using obfuscation and remote updates. PasivRobber: Chinese macOS Spyware Analysis
NOVABLIGHT MaaS Infostealer: NodeJS-based modular infostealer with sabotage capabilities operating on Telegram and Discord, linked to Sordeal group communications. MaaS Appeal: NOVABLIGHT Infostealer
JSCEAL Node.js Malware Campaign: Compiled JavaScript malware targets crypto app users in EU via malicious ads and multi-layered infection chains. Actors Leveraging Node.js to Launch JSCEAL

Phishing, Social Engineering, and Credential Theft

Microsoft OAuth MFA Phishing: Attackers impersonate OAuth apps to bypass MFA and harvest Microsoft 365 credentials using AiTM phishing kits like Tycoon. Microsoft OAuth App Impersonation Campaign
2025 Social Engineering Trends: Unit 42 reports social engineering remains top vector for initial access, with AI-enhanced tactics and high-touch exploitation by groups such as Muddled Libra. 2025 Unit 42 Global Incident Response Report: Social Engineering
Deepfake Financial Fraud on Social Media: Fake influencer scams using deepfakes target Facebook and Instagram users for stock investment fraud, involving over 120 deceptive ads. Deepfakes and Financial Fraud on Social Media
TraderTraitor North Korean Crypto Attacks: Sophisticated social engineering and cloud compromise enable major cryptocurrency thefts. TraderTraitor: North Korean Crypto Heist

Network Censorship, Exploits, and Infrastructure Attacks

Great Firewall QUIC SNI Censorship & Circumvention: Chinese GFW inspects and blocks QUIC protocol via SNI, with discovered vulnerabilities enabling UDP blocking; circumvention tools developed. Exposing and Circumventing SNI-based QUIC Censorship
Operation RoundPress DNS Exploits: APT28 leverages CVE-2025-32433 and CVE-2024-42009 in webmail breaches with extensive malicious DNS infrastructure uncovered. Rounding Up DNS Facts About Operation RoundPress
Proxy Trickster Group: Since 2024, Proxy Trickster targets IT infrastructure with proxyjacking and crypto mining using gs-netcat and advanced script automation. Proxy Trickster Targets Servers for Profit

Cyber Hygiene, Incident Response & Awareness

CISA & USCG Cyber Hygiene Advisory: Proactive hunt found no intrusions but multiple risks including poor logging, shared local admin creds, and weak IT-OT segmentation affecting critical infrastructure. CISA and USCG Identify Areas for Cyber Hygiene Improvement | Response to CISA Advisory AA25-212A
Backdoors & Breaches Incident Response Game: Datadog’s expansion pack for the cybersecurity incident response card game helps teams practice real-world scenarios in-person and online. Backdoors & Breaches Gameplay Guide
Hacker Summer Camp 2025 Overview: Datadog highlights key security conferences covering app security, cloud, red teaming, and AI, with talks and open source tools shared. Datadog Guide to Hacker Summer Camp 2025

Emerging Threats and Trends

Google Redirect Abuse 2024: Attackers exploit Google AMP, Maps, and Translate redirects using URL tricks and CAPTCHA bypass to increase phishing effectiveness. Google Redirect Abuse in 2024: Key Trends and Tactics
DeerStealer and July 2025 Malware Highlights: Notable attacks include obfuscated .LNK-delivered DeerStealer, Snake Keylogger, and fake 7-Zip installers abusing legit Remote Access Tools. Major Cyber Attacks in July 2025

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print