Threat Research | Weekly Recap [05 Oct 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. The update covers ongoing abuse across Messaging & Social Platforms, including WhatsApp/Android trojans, fake groups targeting seniors, SMS smishing, and AI-generated clone sites harvesting PII. It also highlights ransomware and extortion trends (Yurei, FunkLocker, BQTLock), notable APTs and long-term intrusions (Phantom Taurus, Confucius, Goffee, Lunar Spider, Scattered Lapsus$ Hunters, Lazarus), malware distribution & infrastructure abuse (WordPress malvertising, Detour Dog, WARMCOOKIE, Rhadamanthys, ClickFix, XiebroC2), Linux threats (Koske, FlipSwitch), and threat intel/detection tooling guidance (YARA hunting, intel ops best practices).
#SOCRadar #PhantomTaurus #Confucius #Goffee #LunarSpider #Lazarus #Koske #FlipSwitch #DetourDog #Rhadamanthys #ClickFix #XiebroC2 #MatrixPDF #Yurei #FunkLocker #BQTLock #DetourDog #WARMCOOKIE #WordPressMalvertising #Validin #EclecticIQ

Messaging & Social Platform Abuse

WhatsApp-forwarding desktop malware that hijacks WhatsApp Web, persists via LNK/PowerShell and spreads rapidly in Brazil. Trend Micro — SORVEPOTEL via WhatsApp
PDF toolkit that injects overlays/JS to bypass previews and redirect Gmail users to payloads. Varonis — MatrixPDF phishing toolkit
Fake Facebook groups targeting seniors to distribute Android trojans (notably Datzbro) for overlays, recording and payment‑card phishing. Malwarebytes — scam Facebook groups push Android malware
Two undocumented Android spyware families impersonating Signal/ToTok in the UAE, luring users to side‑load APKs and exfiltrating sensitive files. ESET — Android spyware targeting UAE
Large-scale smishing via abused Milesight cellular-router APIs (unauthenticated SMS), impersonating government services with campaigns traced to NameSilo/Podaon infrastructure. SEKOIA — Silent Smishing (router API abuse)
AI/SEO-powered clones of government pages (e.g., IC3) used to harvest PII and trick victims into submitting sensitive reports. Varonis — fake Bureau of Investigation sites

Ransomware & Extortion

Yurei: Go-based ransomware with per-file ChaCha20+ECIES, strong anti‑forensics, SMB/removable spread and double‑extortion tracking. Cyfirma — Yurei Ransomware
FunkLocker: AI-assisted ransomware with many inconsistent builds but consistent destructive behavior (.funksec); researchers recovered a decryptor after wallet/key reuse. Any.run/Avast — FunkLocker analysis
BQTLock: Emerging Middle‑Eastern RaaS combining aggressive extortion, political propaganda and AES‑256/RSA‑4096 crypto, marketed to affiliates. SOCRadar — BQTLock profile

APTs & Long‑Term Intrusions

Phantom Taurus: New Chinese APT using the .NET IIS‑focused NET‑STAR suite and DB‑collection scripts against gov/telco targets in Africa/Middle East/Asia. Unit42 — Phantom Taurus & NET‑STAR
Confucius: South Asia espionage actor evolved from WooperStealer to Python backdoors (AnonDoor), using spear‑phishing, LNK/OLE and DLL sideloading. Fortinet — Confucius: stealer → backdoor
Goffee: Long-term stealth intrusions against Russian targets using legacy and new tooling (DQuic, MiRat, Sauropsida rootkit) and Russian-hosted traffic blending. PT Security — Goffee group tooling
Lunar Spider chain: JavaScript dropper → MSI → Brute Ratel → Latrodectus/backconnect VNC → Cobalt Strike and long-lived exfiltration (Rclone/FTP). DFIR Report — Lunar Spider intrusion
Scattered Lapsus$ Hunters: Alliance of Scattered Spider/LAPSUS$/ShinyHunters scaling vishing, OAuth abuse and trojanized Data Loader apps to steal data from ≥91 orgs. SOCRadar — Scattered Lapsus$ Hunters
Lazarus subgroup: Operators used three RATs (PondRAT5, ThemeForestRAT, RemotePE) against finance/crypto; DNS traps and WHOIS/traffic analysis produced expanded IoCs. CircleID — Lazarus RATs DNS trap

Malware Distribution & Infrastructure Abuse

WordPress theme compromise: functions.php injected PHP that loads external JS for redirects, pop‑ups and hidden iframe drive‑by payloads across multiple sites while evading Cloudflare. Sucuri — WordPress malvertising
Detour Dog: DNS TXT‑based control returns Base64 “down” URLs to make compromised sites fetch and relay Strela/StarFish payloads; campaign persisted across thousands of sites. Infoblox — Detour Dog & Strela Stealer
WARMCOOKIE developments: new handlers (PE/DLL/PowerShell), campaign IDs for clustering, reused SSL certs and CASTLEBOT as a loader. Elastic — Revisiting WARMCOOKIE
Rhadamanthys v0.9.x: Major format and unpacking changes (XS1_B/XS2_B, LZO, PNG stage), breaking older tools; Check Point released updated unpackers and deobfuscators. Check Point — Rhadamanthys 0.9.x
ClickFix browser stealer: fake CAPTCHA pages trick victims into executing PowerShell; Guardio published 172 IoCs and WHOIS/DNS analysis found thousands more related domains/IPs. CircleID/Guardio — ClickFix CAPTCHAgeddon
Exposed MS‑SQL servers abused with weak creds and JuicyPotato to deploy XiebroC2 (often with coinminers); report includes HostPort/Protocol/AesKey IoCs. AhnLab — XiebroC2 in MS‑SQL attacks

Linux Threats & Kernel Evasion

Koske: AI-generated Linux crypto‑miner delivered via misconfigured JupyterLab using polyglot JPEG+shellcode; installs rootkits, persists via .bashrc/systemd and runs miners—detection guidance provided using SysmonForLinux/Wazuh. Wazuh — Detecting Koske
FlipSwitch: New syscall‑hooking rootkit technique for Linux 6.9 that patches the x64_sys_call dispatcher call to redirect specific syscalls. Elastic — FlipSwitch syscall hooking

Threat Intel, Detection & Research Tooling

Validin added YARA retro‑hunting over archived virtual host responses to find historical infrastructure artifacts (e.g., thousands of exposed API keys). Validin — YARA hunting for internet infrastructure
Operational guidance: prioritize contextualized intel, automation, STIX/MITRE alignment and vendor partnerships to reduce alert fatigue and speed response. EclecticIQ — customer spotlight on intel ops

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print