Threat Research | Weekly Recap [19 Oct 2025]

Cybersecurity Threat Research ‘Weekly’ Recap. A wide range of state‑sponsored and criminal campaigns were observed, including DLL side‑loading, web shell persistence, spearphishing, credential theft, and rising concerns around rootkits, firmware threats, and supply‑chain abuse. The report also highlights new detection tools, research models, and mitigations across research & tooling, vulnerabilities, and OSS/open‑source risks.
#MustangPanda #FlaxTyphoon #Jewelbug #MysteriousElephant #APT35 #CavalryWerewolf #SOGU #PlugX #ValleyRAT #SecureBoot #FrameworkDevices #AdaptixC2 #BeaverTail #Oyster #NightMARE #ExCyTInBench #EclecticIQ #Snyk

Nation-state & APT operations

Mustang Panda used DLL side‑loading (hidden libjyy.dll) to run a Claimloader that decrypts strings, persists via scheduled tasks/Run keys, and drops Publoader shellcode. Mustang Panda: Publoader/Claimloader
Flax Typhoon converted a Java SOE into a gated web shell on ArcGIS, embedding it in backups and deploying a renamed SoftEther VPN for persistent C2/bridging. Flax Typhoon: ArcGIS SOE persistence
Jewelbug expanded espionage intrusions (APTs) across regions using cloud services, DLL sideloading and custom backdoors (Finaldraft/Guidloader/Pathloader). Jewelbug APT: expanded targeting
Mysterious Elephant targeted gov/foreign‑affairs orgs in APAC with spear phishing, custom loaders (BabShell, MemLoader) and WhatsApp-focused exfiltration modules. Mysterious Elephant: tools & exfiltration
APT35 operations reveal a professional malware pipeline (Saqeb System, RAT‑2AC2, webshells) used against 300+ Middle East targets with TOR/multi‑hop C2. APT35: malware arsenal
Cavalry Werewolf conducted public‑sector phishing using spoofed Kyrgyz gov emails to deliver FoalShell and StallionRAT for remote shell, persistence and exfiltration. Cavalry Werewolf: gov phishing
China‑attributed spearphish linked to SOGU/PlugX used LNK droppers and Canon binary sideloading in European gov intrusions. CN APT: Serbian gov spearphish
Seqrite‑tracked campaigns (Operation Silk Lure / MotorBeacon) targeted Chinese and Russian sectors with résumé lures delivering ValleyRAT and a .NET CAPI Backdoor. Operation Silk Lure: ValleyRAT

Malware, loaders & infostealers

PhantomVAI loader (Katz lineage) uses obfuscated scripts, PowerShell steganography and VM checks to deliver Katz, AsyncRAT, FormBook, XWorm and DCRat. PhantomVAI loader: infostealers
Polymorphic Python RAT nirorat.py uses self‑modifying code (inspect, XOR, marshal/zlib) to evade detection and offers wide remote‑access capabilities. Polymorphic Python RAT (nirorat)
BeaverTail + OtterCookie merged campaign trojanized a Node package and VS Code extension to deliver keyloggers, screenshotters and crypto theft modules. BeaverTail & OtterCookie: JS module
Shuyal Stealer targets 19 browsers, harvests creds/tokens/screenshots and exfiltrates via a hardcoded Telegram bot. Shuyal Stealer: multi‑browser theft
Maranhão Stealer (Node.js) spread via pirated installers; Wazuh rules and detections documented for SOCs. Detecting Maranhão Stealer (Wazuh)
GhostBat RAT Android resurgence: fake mParivahan RTO apps steal banking creds, SMS and mine crypto via multi‑stage droppers and native packers. GhostBat RAT: Android RTO lures
Kaiji Go‑based Linux/IoT botnet offers multi‑protocol DDoS/proxying with rootkit‑style stealth and many arch‑specific binaries. Kaiji botnet: Linux/IoT DDoS
Email campaigns in Q3 delivered obfuscated JS downloaders that fetched .NET stealers/RATs (DarkCloud, Remcos, AgentTesla, Formbook) via steganography/PowerShell. Q3 email campaigns: JS downloaders
LockBit 5.0 and Qilin/Agenda updates: cross‑platform ransomware (ESXi/Linux/Windows) with advanced obfuscation, selective encryption and anti‑forensics. LockBit 5.0 / Qilin ransomware analysis

Rootkits, kernel & firmware threats

LinkPro multi‑stage AWS compromise deployed an eBPF rootkit (Hide/Knock modules) + LD_PRELOAD persistence and port‑knock activation. LinkPro eBPF rootkit (Synacktiv)
Singularity LKM rootkit for Linux 6.x uses ftrace syscall hooks, multi‑layer hiding, privilege escalation and log sanitization across x86_64/ia32. Singularity LKM rootkit
Signed UEFI shells with an mm memory‑modify command can overwrite SAP handlers to bypass Secure Boot on many Framework devices — mitigations: DBX revocations/firmware updates. Signed UEFI shells: Secure Boot bypass
PolarEdge ELF64 backdoor targets QNAP (CVE‑2023‑20118) with mbedTLS server, unauthenticated binary protocol, daily fingerprinting and anti‑analysis chains. PolarEdge backdoor: QNAP implant

Phishing, SEO poisoning & credential theft

Cluster of 131 Chrome extensions injected into WhatsApp Web to automate bulk spam and evade anti‑spam; white‑label reseller model had ~20.9k users. 131 spamware Chrome extensions (WhatsApp)
Resume/HR lures abused Zoom doc notifications to redirect victims through fake CAPTCHA to a Gmail phish that exfiltrates creds via WebSocket in real time. Look Mom HR: WebSocket credential phish
PagoPA phishing used Google open‑redirects and legitimate services to make malicious links appear valid and harvest payment/personal data. PagoPA phishing: Google open‑redirect abuse
SMS phishing impersonating Robinhood continues to deliver fake “security alerts” and credential theft pages. Robinhood SMS phish: fake alerts
Microsoft‑branded payment/lock scams used fake CAPTCHAs and phone coercion to push victims to call fake support numbers. Weaponized Trust: MS logo tech‑support scams
SEO poisoning distributed a signed, trojanized Ivanti Pulse Secure MSI that steals VPN credentials (targets connectionstore.dat) and exfiltrates to Azure C2. Spoofed Ivanti VPN client sites
Fake Microsoft Teams installers (SEO/ads) dropped the Oyster backdoor via malicious DLL/scheduled task persistence. Fake Teams installers: Oyster backdoor
Disposable npm packages and crafted unpkg JS were used in phishing to redirect victims to credential harvesters affecting 135+ orgs; includes fake Cloudflare verification UIs. NPM ecosystem phishing: disposable packages
Phishing page mimicking Italy’s Entry/Exit System (EES) targeted foreign residents to collect identity data; page validated inputs locally and may be weaponized later. EES phishing: residence permit lures

Vulnerabilities, exploitation & breaches

F5 disclosed a long‑term dev‑system compromise and exfiltration of portions of BIG‑IP source code and info about undisclosed vulnerabilities; agencies urged to inventory/patch. F5 BIG‑IP source‑code breach
CL0P extortion campaign exploited an Oracle E‑Business Suite zero‑day chain (likely CVE‑2025‑61882) to deploy Java in‑memory payloads (GOLDVEIN.JAVA) and exfiltrate EBS data. CL0P: Oracle EBS zero‑day extortion
Operation Zero Disco exploited CVE‑2025‑20352 (Cisco SNMP) to install Linux rootkits on older Cisco switches, enabling RCE, universal passwords and IOSd memory hooks. Operation Zero Disco: Cisco SNMP exploit
CrowdStrike blocked exploitation of Git vulnerability CVE‑2025‑48384 (malicious .gitmodules + recursive clone -> arbitrary write / post‑checkout hooks). Git CVE‑2025‑48384 exploitation
Check Point found a Rust bug in win32kbase_rs.sys causing BSOD via crafted EMF(+); Microsoft patched via KB5058499 (OS Build 26100.4202). Rust bug in Windows kernel (win32kbase_rs.sys)
Recorded Future’s September 2025 CVE roundup highlights 16 high‑impact flaws to prioritize (notable vendors: Cisco, TP‑Link; exploits observed for Cisco ASA/Sitecore chains). September 2025 CVE landscape
Darktrace / others reported active SonicWall VPN exploitation (Akira campaign) and related detections/response playbooks. Akira: SonicWall VPN exploitation

Supply‑chain & open‑source abuse

Malicious npm package https-proxy-utils delivered the AdaptixC2 post‑exploitation agent via post‑install scripts, deploying OS‑specific persistence mechanisms. AdaptixC2 found in npm package
Snyk mapped a phishing campaign that published 175+ disposable npm packages hosting redirect JS on unpkg to funnel victims into credential harvesters; attackers abused package/CDN trust. Phishing leveraging npm/unpkg
Reports highlight supply‑chain risk guidance and continuous monitoring as critical mitigations for vendor/OSS compromises (SolarWinds, MOVEit lessons). How to mitigate supply‑chain attacks
SEO/ads and trojanized open‑source assets (Node packages, VS Code extensions) were repeatedly used to distribute malware (BeaverTail/OtterCookie, fake Teams, trojan Ivanti MSI). Trojanized OSS & tooling (BeaverTail/OtterCookie)

Detection, research & tooling

IAmAntimalware POC shows code injection into AV processes by cloning protected services and replacing Cryptographic Providers with signed malicious DLLs (CertClone demo). IAmAntimalware: AV process injection
“The Emulators Gambit” shows a VEH handler emulating shellcode execution from non‑executable .data using chained hardware breakpoints to avoid changing memory protections. Emulators Gambit: non‑exec memory execution
nightMARE is a Python library unifying static analysis/emulation (Rizin+Unicorn) to streamline malware family analysis and emulate decryption routines (e.g., LUMMA). nightMARE: RE & emulation library
Microsoft’s open ExCyTIn‑Bench simulates multistage SOC investigations to benchmark AI agents against realistic Sentinel datasets and incident graphs. ExCyTIn‑Bench: AI for SOC benchmarking
EclecticIQ added STIX custom objects to capture non‑standard intel types (crypto wallets, forensic evidence) for search/correlation/automation. STIX custom objects: EclecticIQ 3.6
WhoisXML reduced false positives on its First Watch Malicious Domains feed to 1.66%, improving predictive TI and alert quality for analysts. WhoisXML First Watch: FP reduction
ANY.RUN webinar and practical posts outline evolving malware/phishing tactics (ClickFix, Tycoon2FA QR phish, LOLBin DeerStealer abuses) and SOC detection tips. New malware tactics: SOC tips (ANY.RUN)

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print