Threat Research | Weekly Recap [10 Aug 2025]

hendryadrian.com

hendryadrian.com

Ransomware & Access Abuse

• Unauthenticated RCE in Rejetto HFS — Attackers scanned exposed HFS servers exploiting CVE‑2024‑23692 to deploy droppers and ransomware (samples: Farfli, Zenpak, jqvtd). Imperva: Rejetto HFS campaign
• Bumblebee to Akira: SEO-poisoned IT tools — Trojanized IT management tools delivered via SEO poisoning led to privileged IT account compromise and deployment of Akira ransomware. DFIR: Bumblebee → Akira
• MSP targeting by RaaS gangs — Akira and Lynx actors (RaaS) increasingly target MSPs/SMBs using stolen credentials, VPN flaws and EDR‑disabling techniques. Acronis: MSPs targeted by Akira & Lynx
• Active SonicWall zero‑day abuse — Active exploitation of a SonicWall VPN zero‑day bypasses MFA and has been used to push Akira, with urgent mitigation recommended. Huntress: SonicWall VPN exploitation

Vulnerabilities & Exploitation Chains

• SharePoint ToolShell attacks + Project AK47 — China‑linked actors abused chained SharePoint flaws (ToolShell) to deploy web shells, exfiltrate keys and deliver the Project AK47 malware family (backdoors, loaders, ransomware ties to LockBit affiliates). Unit42: Project AK47 & ToolShell
• SAP NetWeaver → Auto‑Color backdoor — Exploitation of CVE‑2025‑31324 led to a Linux ELF RAT using ld.so.preload persistence and suppressed C2 activity when unreachable. Darktrace: Auto‑Color backdoor
• Streamlit file‑upload flaw enables cloud takeover — Client‑side validation bypass lets attackers upload dangerous files to misconfigured cloud instances, risking dashboard tampering and account takeover. CatoNetworks: Streamlit file upload issue

Stealers, Infostealers & Campaign Evolution

• DarkCloud stealer — new variants & obfuscation — Multi‑stage phishing with fileless payloads, process hollowing and ConfuserEx/VB6 obfuscation complicates detection and credential theft campaigns. Unit42: DarkCloud infection chains
• PXA Stealer & Telegram ecosystem — Python‑based PXA Stealer campaign targeted >4,000 victims and monetizes data via Telegram‑powered marketplaces. SentinelOne: PXA Stealer
• Efimer crypto‑theft via mass mailings — ClipBanker‑style Trojan replaces wallet addresses, harvests mnemonics and communicates over Tor; distribution via email, compromised WordPress sites and torrents. Kaspersky: Efimer campaign
• REMCOS delivered via malicious LNKs — Stealthy LNKs use PowerShell/Base64 chains to drop the REMCOS backdoor in multi‑stage attacks. PointWild: REMCOS via LNK
• Raspberry Robin updates — Continued evolution with new obfuscation, encryption and local EoP exploits; operators use invalid TOR names to frustrate IOC harvesting. Zscaler: Raspberry Robin tracking
• Silent Watcher — Cmimai stealer VBS — K7 Labs’ analysis shows a multi‑stage VBS payload that loads obfuscated modules to steal credentials and browser data; the report highlights persistent obfuscation and modular exfiltration. #Cmimai #VBS K7 Labs: Silent Watcher (Cmimai)

Mobile Banking & Android Threats

• DoubleTrouble Android banker — Android trojan abuses Accessibility Services, hides payloads in resources, records screens and overlays to steal PINs; distribution shifted to Discord‑hosted APKs. Zimperium: DoubleTrouble analysis
• Android SpyBanker — call rerouting — “Customer Help Service.apk” steals SMS/OTPs and reroutes calls via a hardcoded number to facilitate fraud targeting Indian banks. K7 Labs: Android SpyBanker
• Indian banking malware mines Monero — Hindi‑focused fake finance apps steal data and run XMRig via remote triggers (FCM); targets include SBI, AxisBank, IndusIndBank. McAfee: Android banking + crypto miner

Open‑Source Supply Chain & Registry Abuse

• 60 malicious RubyGems — Long‑running supply‑chain campaign published 60 trojanized gems that exfiltrate credentials; heavy focus on South Korean targets and >275k downloads. Socket: Malicious RubyGems
• 11 malicious Go modules (typosquats) — Go typosquats used index‑based string obfuscation to execute shells and fetch remote payloads from .icu/.tech domains targeting Linux and Windows. Socket: Malicious Go packages
• Q2 2025: Malicious OSS packages trends — FortiGuard finds persistent NPM/PyPI abuse with install‑time execution, credential/wallet theft and increased obfuscation; includes detection guidance. Fortinet: Malicious OSS registries (Q2 2025)
• Gravity Forms plugin supply‑chain breach — Backdoor in GravityForms v2.9.12 exfiltrated site data and allowed RCE via gravityapi[.]org; patched in v2.9.13. Patchstack: GravityForms backdoor
• BEAM: network‑based supply chain detector — Netskope released BEAM, an open‑source ML detector that spots suspicious app behavior in network traffic without agents. Netskope: BEAM detector

Adtech, Malvertising & Fraud Networks

• VexTrio adtech fraud network — Large malicious traffic distribution platform evolved from spammers to adtech, powering dating/crypto scams and affiliate networks like Los Pollos and Taco Loco. Infoblox: VexTrio origin story
• Malvertising delivers Oyster/Broomstick backdoors — SEO poisoning and trojanized tools distributed via ads have been used to plant backdoors and facilitate LockBit activity. Arctic Wolf: Malvertising → backdoors
• Fake Binance site via Facebook ads — Malware distributed through Facebook ads impersonating Binance installs an MSI infostealer that opens local listening ports and collects browser/system data. AhnLab: Facebook ads → Binance impostor

Crypto Scams & Web3 Fraud

• Smart contract drainer scams — Malicious contracts posing as trading bots stole >$900k; operators used aged YouTube accounts and AI‑generated videos to feign legitimacy. SentinelLabs: Smart contract scams
• Malicious Facebook ads + wallet stealers — (See AhnLab) social ad channels remain effective distribution for crypto‑targeting Infostealers.

Nation‑state & High‑profile Intrusion Tooling

• VELETRIX loader & DragonClone — China‑nexus campaign targeting telecom infrastructure uses sophisticated VELETRIX loaders, shellcode and tailored C2 for mass espionage. 0x0d4y: VELETRIX analysis
• BlueNoroff DNS investigation — Malicious Zoom extension masquerading as a Calendly invite led to a complex DNS footprint tied to the BlueNoroff campaign. CircleID: BlueNoroff DNS investigation
• RoKRAT (APT37) — shellcode & steganography — New RoKRAT variants use encrypted shellcode injection, steganographic C2 channels (Dropbox abuse) and fileless persistence—EDR tuning is critical. Genians: RoKRAT analysis

Linux Persistence, Loaders & EDR‑Evasion

• Plague PAM backdoor — New PAM‑based Linux backdoor modifies authentication to grant covert SSH access while evading AV and clearing session traces. Nextron: Plague PAM backdoor
• Hiding payloads in Linux xattr — PoC shows attackers can split/encode payloads into extended attributes; detection via recursive getfattr scanning recommended. SANS ISC: xattr payload hiding
• AV‑killer via ThrottleStop.sys — Driver abuse (ThrottleStop.sys) observed terminating AV processes to enable lateral movement and ransomware deployment (e.g., MedusaLocker). Kaspersky: AV killer via ThrottleStop.sys
• SLOW#TEMPEST Cobalt Strike sideload — ISO targeting Chinese users uses DLL sideloading with an Alibaba executable to spawn Cobalt Strike beacons. dmpdump: SLOW#TEMPEST loader

Data Breaches & Fraud Markets

• Italian hotels — ID docs for sale — Tens of thousands of high‑res passport/ID scans from three hotels appeared for sale after unauthorized access, enabling sophisticated identity fraud. CERT‑AGID: Stolen hotel identity documents
• PXAStealer/Telegram resale — (See PXA Stealer) stolen datasets are actively monetized via Telegram marketplaces and automation. SentinelOne: PXA Stealer

Short briefs & notable tooling

• Netskope BEAM — Open‑source, network‑based ML detector for supply‑chain compromise without requiring endpoint agents. Netskope: BEAM
• GenAI used to craft phishing pages — Attackers used generative AI tools (DeepSite AI, BlackBox AI) to create convincing pages impersonating Brazilian gov sites and leveraged SEO poisoning. Zscaler: GenAI phishing (Brazil)
• 11 malicious Go packages — (See Supply Chain) Go typosquats fetch obfuscated remote payloads from .icu/.tech domains. Socket: Malicious Go modules
• Shared EDR kill‑chain tools — Underground marketplaces and ransomware actors increasingly share sophisticated EDR killers (e.g., HeartCrypt family), complicating defenses. Sophos: EDR killer sharing
• Raksha Bandhan scams — 2‑line summary — Scammers leveraged festival‑themed lures (fake gifts, offers) to phish credentials and solicit payments via WhatsApp/SMS and malicious links. #RakshaBandhan #WhatsApp CloudSEK: Raksha Bandhan scams

Threat Research | Weekly Recap – hendryadrian.com