Threat Research | Weekly Recap [16 Nov 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. This week highlights state-sponsored and APT activity, including APT35’s malware pipeline and SideWinder emulation guidance, plus DragonBreath’s RONINGLOADERloader and KONNI Android operations. It also covers diverse malware families like Lumma Stealer, LeakyInjector/LeakyStealer, Remcos, Amatera, XWorm, Rhadamanthys, and VenomRAT takedowns; ransomware trends with Qilin, Akira, Cl0p, Kraken, and Yurei analyses; phishing and credential theft campaigns; supply-chain and RMM abuse including Anthropic MCP SDK flaws and Triofox CVE; detection and threat-hunting advances; and emergent AI-driven malware, pig-butchering scams, Kubernetes trends, and macOS privilege escalation. #APT35 #SideWinder #Gh0stRAT #RONINGLOADER #KONNI #Lum maStealer #LeakyInjector #LeakyStealer #Remcos #Amatera #NetSupportRAT #XWorm #Rhadamanthys #VenomRAT #Qilin #Akira #Cl0p #Kraken #Yurei #Kimsuky #AI‑drivenmalware #PigButchering #Triofox #CVE-2025-12480 #CVE-2025-24277

State‑sponsored & APT activity

Insider leaks detail APT35’s full malware pipeline (RAT families, custom webshells, QA/training, SCADA reconnaissance and ransomware prep). CloudSEK — APT35 Ep3
Emulation guidance and playbooks to validate defenses against SideWinder (document exploits → modular in‑memory backdoor StealerBot); includes sample hashes and attack graph. AttackIQ — Emulating SideWinder
Chinese APT activity delivering Gh0st RAT via large‑scale brand impersonation, signed binaries, cloud hosts and DLL side‑loading to evade detection. Unit42 — Gh0st RAT impersonation
Targeted Chinese‑language campaign from DragonBreath (APT‑Q‑27) using a novel loader RONINGLOADER with PPL abuse, signed kernel driver and WDAC tampering to disable Defender. Elastic — RONINGLOADER / DragonBreath
State‑linked mobile campaign (KONNI) abusing Google Find Hub to remotely wipe Android devices and using KakaoTalk‑distributed MSI loaders targeting South Korea. KONNI — Android remote wipe

Malware families, RATs & stealers

Resurgence of Lumma Stealer with adaptive JavaScript browser fingerprinting layered over C2 to profile victims and guide follow‑on actions. Trend Micro — Lumma Stealer
Two‑stage Windows duo LeakyInjector / LeakyStealer injects ChaCha20‑encrypted stealer into explorer.exe, persists as Edge update component and exfiltrates wallets; components signed with valid EV cert. Hybrid Analysis — LeakyInjector/LeakyStealer
ClickFix/ClickFix‑like campaigns delivering Remcos RAT in Italy via GLS‑themed malspam that tricks users into running terminal commands. CERT‑AGID — Remcos / ClickFix
EVALUSION campaigns use ClickFix to deploy rebranded Amatera Stealer and NetSupport RAT (AMSI bypass, WoW64 syscalls); includes decryption helpers and mitigation guidance. eSentire — EVALUSION / Amatera
Multi‑stage VBS/batch loader deploys retro XWorm RAT via obfuscated invoice attachment with in‑memory PowerShell loaders. Malwarebytes — XWorm invoice
International takedown: law enforcement disrupted Rhadamanthys infrastructure (Operation Endgame), impacting its stealer ecosystem and proxy services. Proofpoint — Operation Endgame / Rhadamanthys
Disruption of commercial RAT: U.S. & partners seized VenomRAT infrastructure and arrested suspected author; actors pivoting to Remcos/XWorm. Proofpoint — VenomRAT takedown

Ransomware & extortion trends

October 2025 saw a ~30% spike in incidents (~623), fueled by groups like Qilin, Akira, Cl0p and exploitation of appliances and deserialization RCEs. Cyble — October surge
Q3 2025 snapshot: fragmented extortion ecosystem with ~85 active groups; LockBit resurfaces and Qilin leads activity in regions like South Korea. Checkpoint — State of Ransomware Q3 2025
Kraken (HelloKitty‑linked) conducts big‑game hunting using SMB exploitation, Cloudflared persistence, SSHFS exfil and cross‑platform encryption (.zpsc). Cisco Talos — Kraken ransomware
Technical analysis of Go‑based Yurei ransomware builder covering its encryption structure and builder mechanics. AhnLab — Yurei builder analysis

Phishing, supply‑side abuse & credential theft

Spoofed “Email Delivery”/spam‑filter notifications redirect via cbssports[.]com to mdbgo[.]io phishing pages that harvest credentials and stream them via WebSockets. Malwarebytes — spam‑filter phishing
Multi‑brand HTML attachments render fake login UIs and exfiltrate credentials to attacker Telegram bots via Bot API; templates reused across brands and regions. Cyble — Telegram bot phishing
Facebook/Universal Music themed phishing uses fake PDFs and reCAPTCHA to harvest Facebook logins via a fraudulent popup. CERT‑AGID — Facebook themed phishing
Beamglea campaign abused npm packages (175 malicious packages, >26k downloads) to target industrial/energy firms; researchers mapped extensive DNS/IaC links. CircleID — Beamglea npm campaign
Malicious Chrome extension Safery: Ethereum Wallet exfiltrates BIP‑39 seed phrases by encoding them into Sui‑style addresses and broadcasting microtransactions to reveal victims’ mnemonics. Socket — Safery extension
Threat actors trojanized an open‑source SteamCleaner build, signed and distributed via GitHub to install Node.js backdoors with sandbox evasion and persistent tasks. AhnLab — SteamCleaner trojan
Acronis TRU/VirusTotal collaboration tracked web‑based families (FileFix/ClickFix, SideWinder, Shadow Vector) and published YARA/livehunt rules and IOC pivots for hunting document/web threats. Acronis — TRU & VT tracking

Supply‑chain, RMM abuse & exploitable tooling

Two default‑config flaws in Anthropic’s MCP SDK enable browser‑based OAuth token theft and CI/CD supply‑chain injection, risking signed, tampered updates. Cato — Anthropic MCP SDK
Attackers abused legitimate RMMs (LogMeIn Resolve, PDQ Connect) to deliver PatoRAT by tricking users into fake utility installers that enroll devices to attacker‑controlled CompanyId values. AhnLab — RMM abuse / PatoRAT
Unauthenticated access to Gladinet Triofox (CVE‑2025‑12480) allowed account creation → code execution; actor installed UEM/RATs and established SSH reverse tunnels for persistent RDP. Google Cloud / Mandiant — Triofox CVE‑2025‑12480

Detection, hunting & analysis techniques

Sysdig/Falco enhanced detection rules and new proc fields to better identify three classes of TCP reverse shells and reduce false positives. Sysdig — Hunting reverse shells
WinDbg Time‑Travel Debugging (TTD) used to accelerate dynamic analysis of .NET process hollowing and extract an in‑memory AgentTesla payload/config. Google Cloud — TTD .NET case study
Recorded Future research: threat intelligence is shifting to board‑level strategic use (TI in procurement, GRC and incident planning); plus a primer on how TI complements proactive threat hunting. Recorded Future — TI to the C‑Suite
Short primer distinguishing proactive internal threat hunting from external threat intelligence and how both form a feedback loop to improve detections. Recorded Future — Hunting vs Intel
Technical dissection of a Kimsuky JavaScript dropper infection chain for defensive hunting. Pulsedive — Kimsuky JS dropper

Emerging trends & cybercrime ecosystem

Researchers document a rise in AI‑driven malware that queries LLMs at runtime to generate/obfuscate code and adapt payloads (families: PROMPTFLUX, PROMPTSTEAL, etc.), including APT28 use. PolySwarm — AI‑driven malware
Pig‑butchering investment scams leverage long‑form social engineering, AI‑fabricated personas, fake trading platforms and crypto laundering networks tied to organized groups and protected compounds. CyFirma — Pig‑butchering scams
Analysis shows a continuing long tail of outdated Kubernetes clusters despite provider LTS options; as of Oct‑1‑2025, ~3% run unsupported versions. Datadog — Kubernetes adoption 2025
macOS local privilege escalation (CVE‑2025‑24277) in osanalyticshelperd enabled sandbox‑escape via race/rename/XPC abuse; patch restricted XPC entitlements. The Sequence — CrashOne CVE‑2025‑24277

Threat Research | Weekly Recap – hendryadrian.com