Threat Research | Weekly Recap [20 Jul 2025]

This report highlights the latest ransomware threats, including KAWA4096, CrazyHunter, and global RaaS platforms, as well as advanced malware loaders and backdoors targeting various sectors worldwide. It also covers the rise in targeted remote access tools, phishing campaigns, and infrastructure vulnerabilities amidst geopolitical tensions. #KAWA4096 #CrazyHunter #GlobalGroup #Dark101 #GhostContainer #UNC5174 #IVANTI #Forescout #APT28

Ransomware Developments and Campaigns

KAWA4096 ransomware emerged in June 2025 targeting US and Japan, using multithreading and encrypted network share attacks while mimicking styles of known ransomware groups. KAWA4096 Ransomware Surge
CrazyHunter ransomware infected Taiwanese healthcare with USB-borne attacks exploiting vulnerable drivers and privilege escalation. Dark Web Profile: CrazyHunter Ransomware
Crux ransomware, linked to BlackByte, uses svchost.exe and bcdedit.exe to disable recovery before encryption, primarilyaccessing via RDP. Getting to the Crux (Ransomware) of the Matter
NailaoLocker ransomware features AES-256-CBC with embedded SM2 keys and a rare built-in decryption function, likely an internal test build. NailaoLocker Ransomware’s “Cheese”
GLOBAL GROUP RaaS leverages AI-driven negotiation and mobile control panels for affiliates, focusing on high-value targets in multiple continents. Emerging Ransomware-as-a-Service
BlackSuit ransomware combines Cobalt Strike, rclone, and native Windows processes for stealthy lateral movement and partial encryption. A Hybrid Approach of BlackSuit Ransomware
Dark 101 ransomware disables system recovery and masquerades as legitimate processes to evade detection. How FortiSandbox 5.0 Detects Dark 101 Ransomware
Matanbuchus 3.0 malware loader advances stealth and persistence capabilities, impersonating legitimate apps to deploy payloads on Windows. From a Teams Call to a Ransomware Threat
June 2025 ransomware trends show increased samples and global impacts, with insights from AhnLab on ransomware groups and leak sites worldwide. June 2025 Threat Trend Report on Ransomware
RMM-targeted ransomware attacks: MSPs using Atera RMM experienced attacks deploying Akira ransomware via Cloudflare tunnels. Remote Monitoring and Management Tools: A Gateway for Bulk Attacks

Advanced Remote Access Trojans and Backdoors

AllaKore RAT and SystemBC used by Greedy Sponge to target Mexican financial institutions with geofencing and custom exfiltration. Greedy Sponge Targets Mexico
VShell and SNOWLIGHT toolkits adopted by UNC5174 (Chinese-affiliated group) to expand C2 infrastructure and global attacks. Uncovering the DNS Underbelly of UNC5174
OVERSTEP backdoor deployed on SonicWall SMA appliances by UNC6148, using rootkit persistence and stolen credentials. SonicWall SMA Exploitation via OVERSTEP
GhostContainer backdoor compromises Exchange servers in Asia exploiting CVE-2020-0688, granting full control over mail infrastructure. GhostContainer backdoor
HazyBeacon Windows backdoor uses AWS Lambda URLs for covert C2 targeting Southeast Asian governments with DLL sideloading. Behind the Clouds: Novel Covert C2 Communication
Interlock RAT PHP variant expands delivery options with resilient C2 using trycloudflare.com and fallback IPs in widespread campaigns. KongTuke FileFix Leads to New Interlock RAT Variant
PureRAT via Ghost Crypt crypter delivers sophisticated malware targeting crypto-related browser extensions with advanced process injection. Ghost Crypt Powers PureRAT with Hypnosis
Agent Tesla RAT variant improves stealth and data theft using deep learning detection evasion techniques. DIANNA Explains 2: Agent Tesla—A Better RAT

Phishing, Social Engineering, and Supply Chain Attacks

npm typosquatting phishing uses cloned npm site npnjs.com and tokenized URLs to steal developer credentials. npm Phishing Email Targets Developers
Scanception quishing campaign employs QR codes embedded in PDFs for adversary-in-the-middle credential harvesting globally. Scanception: A QRiosity-Driven Phishing Campaign
Rainbow Hyena phishing distributes PhantomRemote backdoor via .zip polyglot attachments to enable system surveillance and C2 communication. Rainbow Hyena Phishing Alert
Booking.com phishing abuses official messaging to steal card data via multi-stage redirects and extensive infrastructure. Multi-Stage Phishing via Reservation Portals
Microsoft 365 Direct Send exploit sends spoofed internal mails with malicious PDFs to over 70 US organizations, harvesting credentials. M365 Direct Send Phishing Campaign
Chinese espionage groups target Taiwan semiconductor industry with phishing, DLL sideloading, and custom malware like Voldemort and HealthKick. Phish and Chips: China-Aligned Espionage Actors

Malware Trends, Campaigns, and Ecosystem Analysis

AsyncRAT evolution exposes growing open-source RAT forks with advanced plugins and evasion techniques impacting malware ecosystems worldwide. Unmasking AsyncRAT
SilverFox Chinese malware domains continue large-scale campaigns against Chinese speakers with anti-automation and expanded server distribution. Chinese Malware Delivery Domains: Part III
Infostealer trends in June 2025 highlight SEO poisoning and novel infection methods via cracks and password-protected files. June 2025 Infostealer Trend Report
Lumma Stealer distributed via cracked software deploys Rsockstun malware post-infection, using pen test tools as persistence. Lumma Stealer Deploys Follow-Up Malware
Old Miner, New Tricks research exposes H2Miner crypto-mining botnet and AI-generated Lcrypt0rx ransomware targeting Linux, Windows, and containers. Old Miner, New Tricks
Formbook malware spread continues via Office macros targeting companies involved in tenders despite MS security improvements. Widespread Formbook via Office Macro
Konfety Android malware returns with new evasion via ZIP tampering and dynamic loading to conduct ad fraud and payload distribution. Konfety Returns: Classic Mobile Threat
Fake Android banking apps target Bengali speakers with cryptojacking via XMRig mining activated by device lock state. Android Cryptojacker Disguised as Banking App
Massistant forensic tool used by Chinese law enforcement for mobile data extraction risks mobile privacy through advanced Android debugging techniques. Lookout Discovers Massistant
RedDirection browser extensions hijack Chrome and Edge with malware distributed via trusted extension marketplaces, infecting over 2.3 million users. RedDirection Malicious Browser Extensions

Exploitation and Vulnerabilities

Ivanti Connect Secure devices exploited with CVE-2025-0282 and CVE-2025-22457 using MDifyLoader and Cobalt Strike Beacons for advanced network persistence. Malware Identified Exploiting Ivanti Vulnerabilities
Forescout SecureConnector RCE (CVE-2025-4660) enables remote control by abusing default named pipe permissions. CVE-2025-4660: Forescout SecureConnector RCE
IoT and IT ecosystems face rising exploit attempts including Mirai and WannaCry variants targeting critical infrastructure amid global surge in brute-force attacks. Weekly IoT and IT Vulnerabilities
Microsoft Entra ID abuse via Office 365 Exchange Online SPs enables privilege escalation to Global Admin through forged tokens and manipulated permissions. I SPy: Escalating to Entra ID’s Global Admin

Evasion, Detection, and Security Automation

Wazuh as Code (RaC) facilitates DevOps-style versioning and CI/CD integration for automated security rule deployment, improving detection management. Wazuh ruleset as code (RaC)
Detecting Auto-color Linux backdoor demonstrated using Wazuh and SysmonForLinux integrations to identify stealthy malware targeting government and academic sectors. Detecting Auto-color malware with Wazuh
AI-enhanced malware analysis improves de-obfuscation but struggles with complex packers and new frameworks; Fortinet protections cover key advanced malware families. Catching Smarter Mice with Even Smarter Cats

Web and Cloud Threats

WordPress sites infected via malicious Google Tag Manager code injecting redirects to spam domains, affecting over 200 sites with stealthy infection methods. WordPress Redirect Malware Hidden in Google Tag Manager Code
Phishing via SVG smuggling embeds JavaScript in SVG image files to deliver obfuscated redirects and evade detection through spoofed emails. SVG Smuggling via JavaScript Redirects
Operation Frostbyte offers a gamified open-source training environment simulating Snowflake cloud platform attacks for defensive skills development. Behind the Making of Operation Frostbyte
Kubernetes PKI fundamentals overview securing system components with certificate authorities, highlighting risks from missing certificate revocation mechanisms. Kubernetes security fundamentals: PKI

Geopolitical and Infrastructure Threats

Submarine cable infrastructure faces rising sabotage risks amid geopolitical tensions primarily involving Russia and China, with limited repair capabilities threatening prolonged connectivity outages. Submarine Cables Face Increasing Threats
Fancy Bear (APT28) continues espionage against governments and militaries worldwide, focusing on Ukraine conflict, election interference, and Central Asian webmail exploits. APT PROFILE – FANCY BEAR

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print