Cyber Security News Daily Recap

Threat Research | Weekly Recap [2025-06-01]

admin
Threat Research | Weekly Recap [2025-06-01]

Recent cybersecurity threat research highlights the rise of new ransomware groups like NightSpire and Lyrix, targeting SMEs and Windows users with sophisticated techniques. Advanced persistent threats such as Konni and Void Blizzard continue to focus on geopolitical espionage, while malware campaigns exploit supply chain vulnerabilities to deploy mining malware and remote access trojans. #NightSpire #LyrixRansomware #Konni #VoidBlizzard #FormBook

Ransomware and Cybercrime Groups

  • NightSpire: New ransomware group using double extortion, targeting SMEs worldwide with CVE-2024-55591 exploits and living-off-the-land techniques. NightSpire Ransomware Profile
  • Lyrix Ransomware: Python-based ransomware for Windows with strong evasion, AES256 encryption, destructive recovery disablement, and data leak threats. Lyrix Ransomware Analysis
  • Silent Ransom Group (SRG): Targeting U.S. law firms via social engineering and callback phishing to gain remote access and demand ransom under threat of data exposure. FBI Warning on SRG
  • CyberLock, LuckyGh0$t & Numero: Malware disguised as AI tool installers exploiting AI hype to attack tech, B2B sales, and marketing industries. Fake AI Tool Installer Campaigns
  • Scattered Spider: Financially motivated group targeting large enterprises using ransomware families ALPHV/BlackCat and DragonForce with extensive social engineering. Emulating Scattered Spider
  • PureHVNC RAT: Delivered via fake job offers from fashion/beauty brands, using multi-layer infection chains with PowerShell, AutoIt, and process hollowing for stealth and persistence. PureHVNC RAT Campaign

Advanced Persistent Threat (APT) Activity

  • Konni (North Korea): Multiple campaigns deploying PowerShell malware hidden in documents related to cryptocurrency and banking, targeting South Korean financial and national assets. Konni Malware & Crypto Lures / KB Kookmin Bank Campaign
  • Void Blizzard: Russia-affiliated espionage actor targeting NATO, Ukraine, and critical sectors via spear phishing and cloud service abuse including Microsoft Entra portals. Void Blizzard Threat Report
  • Earth Lamia: China-based APT exploiting web app vulnerabilities across Brazil, India, Southeast Asia; uses custom tools like PULSEPACK and BypassBoss. Earth Lamia Analysis
  • SideWinder APT: Updated toolset expanding attacks on maritime, logistics, and nuclear sectors in Asia and Africa with new DNS-based infrastructure. SideWinder Campaign Analysis
  • APT32/Ocean Lotus: MST transform abuse in ISO images deploying multi-stage payloads with DLL side-loading and encrypted shellcode for persistence. APT32 Installer Abuse
  • Bitter APT: Spear phishing Pakistani telecom employees amid regional conflict; deploying WmRAT remote trojan for persistent access. Bitter APT Campaign

Infostealers and Malware Campaigns

  • StealC v2: Advanced infostealer with JSON C2, hardware ID evasion, and broad targeting excluding CIS countries. StealC v2 Malware
  • Octalyn Stealer: Pascal-based infostealer targeting all Windows versions, exfiltrates data stealthily via Telegram Bot API. Octalyn Stealer Overview
  • EDDIESTEALER: Novel Rust-based infostealer spread through fake CAPTCHA campaigns, harvesting credentials and crypto wallets via PowerShell scripts. EDDIESTEALER Discovery
  • FormBook: Infostealer using advanced evasion (process hollowing, Heaven’s Gate), encrypted C2s, and phishing distribution. FormBook Campaign
  • AsyncRAT (Rust variants): Remote access trojan with improved obfuscation and cross-platform features, distributed in Italy via steganographic TAR archives. AsyncRAT Rust Variant / AsyncRAT Italy Distribution
  • VenomRAT: Malware campaign using fake Bitdefender download sites to spread modular RATs for credential theft and persistence. VenomRAT Campaign Details

Supply Chain and Software Exploits

  • Malicious npm Package: Typosquatted xlsx-to-json-lh package deletes projects remotely; stealthy six-year presence in npm repositories. Malicious npm Package Incident
  • Monkey-Patched PyPI Packages: Semantic-types package exfiltrates Solana private keys using monkey patching and encrypted blockchain transactions. PyPI Supply Chain Attack
  • CVE-2025-4632 (Samsung MagicINFO): Remote code execution exploited to deploy XMRig cryptominer, abusing AnyDesk for persistence and evasion. Samsung MagicINFO Compromise
  • Ivanti EMM Vulnerabilities: China-nexus group exploits two critical RCE flaws (CVE-2025-4427/28) to deploy KrustyLoader and exfiltrate data globally. Ivanti EMM Exploitation
  • SonicWall NetExtender Privilege Escalation: Arbitrary SYSTEM file deletion allows local privilege escalation; patched in version 10.3.2. NetExtender Vulnerabilities
  • Mimo Campaign: Craft CMS exploited via CVE-2025-32432 to deploy crypto miners and proxyware linked to attacker infrastructure on TikTok. Mimo Campaign Analysis

Phishing and Social Engineering

  • Phishing-as-a-Service (PhaaS): Dadsec and Tycoon2FA platforms using Adversary-in-the-Middle attacks, Cloudflare Turnstile challenges, and decoy pages to bypass MFA. PhaaS Campaign Insights
  • Google Apps Script Phishing: Credential theft campaign using trusted Google domains to host fake invoices and redirect victims to legitimate Microsoft login pages. Google Apps Script Phishing
  • Fake Coursera Phishing: Spoofed online learning platforms lure users with free certificate offers directing to fake Meta login for credential harvesting. Coursera Phishing Campaign
  • DigiYatra Impersonation: Fake Indian government travel site harvesting personal data; takedown coordinated with authorities. Fake DigiYatra Website
  • MSSP Phishing Investigations: ANY.RUN sandbox aids MSSPs in detecting and analyzing sophisticated phishing kits like Tycoon for improved response. Phishing Analysis with ANY.RUN

Credential Theft and Banking Malware

  • Zanubis Android Trojan: Advanced banking malware targeting Peruvian financial institutions with overlay attacks, SMS hijacking, fake updates, and strong encryption. Zanubis Evolution
  • Monkey-Patched PyPI Packages: Stealing Solana crypto private keys by hijacking dependencies in developer environments. Solana Key Theft

Malware Evasion & Detection Techniques

  • Alternate Data Streams (ADS): Used for hiding malicious files on NTFS volumes; notably employed by Indrik Spider with BitPaymer ransomware. ADS Techniques & Detection
  • defendnot: Malware bypassing Windows Defender via fake antivirus registration using WSC APIs; defensive strategies include Sigma rules and behavioral detection. defendnot Evasion Analysis
  • New Rust-based AsyncRAT Variants: Enhanced obfuscation and stealth plugin management expanding cross-platform RAT capabilities. AsyncRAT Rust Variant
  • Process Hollowing & Obfuscation: Exploited by PureHVNC RAT and FormBook malware to evade detection and maintain persistence. PureHVNC RAT / FormBook Evasion

Remote Access Tools Abuse

  • Hijacking Legitimate RATs: ConnectWise ScreenConnect, FleetDeck, and Atera with Splashtop abused to deliver malware and conduct espionage across U.S. social security spoofing and European finance sectors. RAT Abuse Campaigns

Sector and Threat Landscape Trends

  • Global Domain Activity Q1 2025: 3.9% drop in new domain registrations; .com still dominant; malicious domains mostly found in .com, .org, .ru. Domain Activity Report
  • Website Malware Motivations: Financial gain drives attacks like SEO spam, phishing, browser redirects, fake updates, MageCart credit card theft, and defacements. Website Malware Motivations

Threat Research | Weekly Recap – hendryadrian.com