Threat Research | Weekly Recap [21 Dec 2025]

hendryadrian.com

hendryadrian.com

State‑aligned APT & espionage

• Targeted SideWinder espionage campaign uses URL shorteners, DLL sideloading via signed Microsoft binaries and India geofencing to deploy a resident agent. Zscaler: SideWinder APT
• Cloud Atlas H1 2025 continues phishing-based Office exploit delivery (CVE-2018-0802), VBScript/PowerShell backdoors, DLL hijacking and cloud‑backed C2 for credential/cookie theft. Securelist: Cloud Atlas H1‑2025
• LongNosedGoblin (China‑aligned) uses Group Policy and cloud services to deploy a C#/.NET espionage toolset (Nosy* tools) against SE Asia & Japan government targets. ESET: LongNosedGoblin
• BlindEagle spear‑phishing against a Colombian agency used SVG smuggling, steganography, Caminho downloader and AES‑protected DCRAT with certificate auth. Zscaler: BlindEagle Campaign
• Ink Dragon relay network maps a distributed relay/C2 fabric abusing ASP.NET deserialization and SharePoint flaws, deploying ShadowPad and FinalDraft for sustained espionage. Check Point: Ink Dragon
• Operation ForumTroll targeted Russian academics with spoofed e-library lures, PowerShell downloaders and OLLVM‑obfuscated DLLs delivering the Tuoni framework. Securelist: ForumTroll Update
• APT35 leak (Episode 4) exposes Iranian ops’ administrative supply‑chain (domains, VPS, ProtonMail, payments) and reusable operational hygiene. DomainTools: APT35 Dump
• Phantom Enigma active infrastructure includes Opendir servers and C2s for malicious browser extensions and EnigmaUiLauncher masquerading as banking/invoice sites. PT Security: Phantom Enigma
• DPRK infrastructure mapping (Acronis/Hunt.io) reveals reused certs, exposed staging directories, FRP tunneling patterns and a new Linux Badcall variant tied to Lazarus/Kimsuky. Acronis: DPRK Campaign Mapping

Loaders, infostealers & malware delivery

• Commodity loader unmasked in targeted email campaigns (CVE‑2017‑11882, stego PNGs on Archive.org) uses fileless stages, TaskScheduler tampering and process hollowing to deploy PureLog Stealer. Cyble: Stealth Loader
• GachiLoader (Node.js) distributed via compromised YouTube accounts; second‑stage Kidkadi uses novel PE injection (VEH abuse) to load Rhadamanthys; Check Point released a Node.js Tracer PoC. Check Point: GachiLoader
• ClickFix social‑engineering on compromised sites led to NetSupport RAT and sideloaded StealC V2 infostealer, enabling access to VPNs and follow‑on Qilin ransomware. Sophos: ClickFix → StealC/Qilin
• Infostealer trends (Nov 2025) AhnLab: broad distribution of ACRStealer, LummaC2, Rhadamanthys, AURA with SEO‑poisoning, DLL sideloading and multi‑C2 loaders. AhnLab: Infostealer Trend
• Rhadamanthys takedown & npm worm surge LevelBlue notes law‑enforcement disruption of Rhadamanthys and resumed Shai‑Hulud npm trojanization stealing developer secrets. LevelBlue: SpiderLabs Update
• SNOWLIGHT ELF loader analysis shows XOR‑encoded payload retrieval over raw TCP and in‑memory execution via memfd_create/fexecve; automated extractor recovers C2 and GOT/PLT mappings. SEKOIA: SNOWLIGHT Loader

Supply‑chain & OSS tampering

• NuGet campaign against crypto libs impersonated Nethereum packages (homoglyphs, version bumps) to steal wallet secrets, OAuth tokens and redirect funds. ReversingLabs: NuGet Crypto Campaign
• Tracer.Fody.NLog typosquat malicious NuGet package (since 2020) exfiltrates Stratis wallet JSON files and credentials to a hardcoded IP. Socket: Tracer.Fody.NLog Typosquat
• npm supply‑chain resurgence via Shai‑Hulud trojanized packages exfiltrated developer secrets at scale. LevelBlue: npm/Shai‑Hulud

Phishing, OAuth abuse & QR‑code (quishing)

• OAuth device‑code phishing campaigns abuse the OAuth2 device authorization flow with social lures (URLs/QRs) to obtain M365 access (SquarePhish2, Graphish) — attributed to TA2723 and other clusters. Proofpoint: OAuth Device‑Code Phishing
• Quishing (QR‑code) payroll lures redirected targets to per‑victim, obfuscated pages that auto‑fill emails and harvest credentials using encrypted JS and rotating endpoints. CYFIRMA: Quishing Campaigns
• NexusRoute Android phishing impersonates Indian gov services, distributes malicious APKs via GitHub Pages and runs a native‑backed RAT that intercepts SMS and steals UPI/cards. CYFIRMA: NexusRoute
• ForumTroll & plagiarism lures targeted Russian political scientists with spoofed services to deliver PowerShell downloaders and OLLVM‑obfuscated loaders. Securelist: ForumTroll

Ransomware & extortion

• RansomHouse encryption upgrade (Jolly Scorpius) moved Mario encryptor to a two‑stage, chunked scheme with primary/secondary keys, complicating decryption and static analysis. Unit42: RansomHouse
• Gentlemen ransomware Go‑based RaaS uses double extortion, rapid propagation, GPO abuse and X25519+XChaCha20 per‑file ephemeral keys, plus defense disabling. AhnLab: Gentlemen Ransomware
• Ransomware trend report (Nov 2025) AhnLab summarises global affected counts, DLS statistics and active group activity by country/industry. AhnLab: Ransomware Trend
• LLMs accelerating extortion ops analysis: generative models speed phishing, multilingual content and automation across reconnaissance and negotiation, with shift to self‑hosted/open models. SentinelLABS: LLMs & Ransomware

Vulnerabilities & active exploitation

• Gogs RCE (CVE‑2025‑8110) symbolic‑link bypass in PutContents API actively exploited to overwrite files and achieve RCE on internet‑exposed instances; Supershell Go payload observed. Wiz: Gogs RCE
• React2Shell (CVE‑2025‑55182) critical pre‑auth RCE in React Server Components/Next.js; observed exploitation delivering miners and RATs across Windows/Linux. Microsoft: React2Shell

Malvertising, domains & DNS abuse

• Parked domains weaponized via direct‑search parking and complex TDS to route real users to scams, scareware and malware while showing benign pages to scanners. Infoblox: Parked Domains Weaponized
• TamperedChef malvertising large campaign used social engineering to push malicious scripts for credential theft and ransomware prep; dozens of malicious domains and thousands of querying clients identified. Acronis TRU: TamperedChef DNS Traces

Mobile threats

• Frogblight Android banker targets Turkish users with court‑case and fake Chrome lures, uses WebView JS injection, SMS and filesystem data exfiltration, REST/WebSocket C2 and signs of MaaS distribution. Securelist: Frogblight
• NexusRoute (see above) large Android phishing/ malware operation impersonating Indian gov services to steal UPI and banking creds via malicious APKs on GitHub Pages. CYFIRMA: NexusRoute

Detection, tooling & research

• Pathfinding.cloud open knowledge base documenting 60+ AWS IAM privilege‑escalation paths with machine‑readable IDs, prerequisites and remediation to close detection gaps. Datadog: Pathfinding.cloud
• CrowdStrike Falcon AIDR expands Falcon to secure the AI interaction layer (prompts, agents, models, gateways) with prompt‑injection and model manipulation detection. CrowdStrike: Falcon AIDR
• Sophos MITRE ATT&CK 2025 review post‑test analysis of enterprise evaluations (Scattered Spider, Mustang Panda) highlights detection gaps across AiTM phishing, SSO/IAM abuse, DLL sideloading and cloud exfil patterns. Sophos: MITRE ATT&CK 2025
• Node.js tracing PoC (Check Point) to defeat API‑level anti‑analysis in Node.js malware (GachiLoader) and reproduce VEH‑based injection for research. Check Point: Node.js Tracer
• PT & other threat intel updates ongoing mappings of malicious domain clusters, C2 patterns, and infrastructure pivoting useful for IOC enrichment and hunting. PT Security: Threat Intel

Threat Research | Weekly Recap – hendryadrian.com