Threat Research | Weekly Recap [27 Jul 2025]

hendryadrian.com

hendryadrian.com

Microsoft SharePoint Vulnerabilities & Exploitation

• ToolShell exploit chain combines zero-day and patched flaws in on-premises SharePoint servers for unauthenticated remote code execution and cryptographic key theft, actively exploited by Chinese threat actors. Immediate patching and mitigation essential. Inside The ToolShell Campaign
• CVE-2025-53770 & CVE-2025-53771 are critical zero-days impacting SharePoint services, enabling remote code execution through deserialization and ViewState abuse, with active exploitation reported globally. Microsoft and security firms urge prompt patching and key rotations. In-the-wild Exploitation of CVEs
• Additional SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 under active attack by China-based groups (Linen Typhoon, Violet Typhoon), emphasizing urgency for updates and defenses such as AMSI. Disrupting Active Exploitation
• A comprehensive collection of research and FAQs highlights these SharePoint zero-day attacks’ evolving tactics, encryption abuse, and payload delivery methods, underscoring the importance of unified security strategies. SharePoint Vulnerabilities: Everything You Need to Know

Information Stealers & Malware Campaigns

• Raven Stealer uses in-memory DLL injection on Chromium browsers and Telegram bots for stealthy data exfiltration, actively developed and distributed on GitHub and Telegram channels by ZeroTrace Team. Raven Stealer Unmasked
• Gaming Platforms Abused: EncryptHub embedded Trojans in Steam early access game Chemia, distributing multiple stealers (Fickle Stealer, Vidar, HijackLoader). Similarly, Electron-based malware disguise as fake indie games on Discord (Leet, RMC, Sniffer Stealers) to harvest credentials and tokens. Steam games abused to deliver malware / Threat actors go gaming
• Cyber Stealer is a modular and feature-rich malware targeting browsers, wallets, and communication apps, with capabilities like crypto mining and DDoS, communicating dynamically with C2 servers. Cyber Stealer Analysis
• Lumma Stealer’s recent comeback uses stealthier delivery following law enforcement takedown, continuing to target users with evolving infrastructure by Water Kurita group. Back to Business: Lumma Stealer Returns
• ACRStealer evolved with advanced evasion, encrypted C2, and socket communication. Utilizes AES-256 encryption and randomized paths for stealthy data theft and malware installation. New Variant of ACRStealer

Ransomware & Extortion Threats

• Interlock Ransomware employs double extortion with data encryption and leak threats, active across North America and Europe via unusual entry vectors like drive-by downloads and ClickFix-themed social engineering. Joint CISA-FBI advisory issued detailing indicators and mitigation. #StopRansomware: Interlock / Joint Advisory on Interlock
• Gunra Ransomware reuses leaked Conti code, employing social engineering and time pressure tactics, encrypting with ChaCha20 plus RSA keys, and deleting volume shadow copies to obstruct recovery. Gunra Ransomware Emerges
• Epsilon Red distributed through ClickFix-themed malware delivery sites with .HTA file downloads, using fake verification codes and impersonations (Discord Captcha Bot, Twitch) to propagate ransomware. ClickFix lures spread Epsilon Red

State-Sponsored & APT Activity

• Laundry Bear (Void Blizzard), a Russian APT, targets NATO and Ukraine with spear phishing and credential theft, leveraging advanced pivoting to uncover expanded malicious infrastructure beyond Microsoft’s known indicators. Hunting Laundry Bear
• Illusory Wishes: China-nexus APT attacks Tibetan community using Ghost RAT and PhantomNet backdoors via multi-stage infections around Dalai Lama’s 90th birthday, employing DLL sideloading and stealthy payload delivery. Illusory Wishes: China-nexus APT
• Operation CargoTalon (UNG0901) targets Russian aerospace and defense with EAGLET implant disguised as logistics documents enabling remote execution and stealthy exfiltration linked to sanctioned entities. Operation CargoTalon: UNG0901 Targets Aerospace
• APT41 in Africa leverages custom tools and publicly available software (Cobalt Strike, Pillager, Mimikatz) for credential dumping, lateral movement, and data exfiltration via compromised SharePoint servers in African government IT infrastructures. The SOC files: APT41’s new target
• MuddyWater (Iranian APT) deploys DCHSpy surveillanceware through malicious VPN apps exploiting geopolitical tensions, focusing on file and WhatsApp data exfiltration. Lookout Discovers DCHSpy
• LAMEHUG is first known LLM-powered malware attributed to APT28, dynamically generating commands using Qwen2.5 LLM in attacks against Ukrainian officials, marking evolution in AI-powered cyber operations. Analyzing LAMEHUG

Phishing & Social Engineering Campaigns

• Israel-Iran conflict phishing exploits crisis fears offering fake evacuation flights on fraudulent Embraer jets to steal personal/financial data. A Special Mission to Nowhere
• Salesforce Vishing by UNC6040 targets organizations via voice phishing, impersonating IT to trick users into authorizing malicious apps for large-scale data theft and extortion. Growing Vishing Threat from UNC6040
• Fake Zoom Call Phishing: Campaign uses deceptive urgent emails and fake Zoom meeting pages to harvest workplace credentials, exfiltrating via Telegram bots. Fake Zoom Call Lures
• Red Bull Recruitment Phishing uses legitimate email services and valid TLS certificates, plus multi-domain infrastructure, to evade detection and steal credentials via fake Facebook login pages. Red Bull Phishing Campaign
• DHL Brand Supply Chain Phishing abuses third-party partnerships, detected using sandboxing and threat intel, emphasizing rising supply chain risks. Beating Supply Chain Attacks: DHL Case

Remote Access Trojans & Backdoors

• EdskManager RAT is a multi-stage RAT leveraging encrypted configs, HVNC, cloud-hosted components, and dynamic C2 infrastructure, with strong evasion and persistence. EdskManager RAT Analysis
• Obfuscated Web Shell UpdateChecker.aspx enables remote control on compromised IIS servers using encrypted JSON commands, facilitating comprehensive system manipulation. In-Depth Analysis of Web Shell
• Stealthy WordPress Backdoor hidden in mu-plugins folder uses ROT13 obfuscation to fetch remote payloads and create hidden admin accounts for persistent access. Uncovering WordPress Backdoor
• RokRAT Malware distributed via malicious Hangul (.hwp) documents, employing DLL side-loading and shellcode in images for stealthy execution and data theft. RokRAT Distribution via HWP Docs
• Lazarus Group’s Deceptive Development impersonates NVIDIA updates, using multi-stage payloads that steal credentials and install backdoors targeting cryptocurrency data. Lazarus’ Latest Tactics

Credential Theft & Scam Operations

• Android Banking Malware posing as Indian bank apps steals credentials and SMS messages using Firebase C2 and phishing interfaces. Android Malware Posing as Bank Apps
• Malicious LNK File disguised as credit card authentication popup executes PowerShell and reflective DLL injections to steal data and evade detection. Malicious LNK Disguised as Security Popup
• Net RFQ Scammers exploit vendor net financing and stolen business identities to fraudulently acquire electronics and goods, involving complex logistics fraud. Request for Quote Scammers Disrupted
• Slow Pisces Attack targets cryptocurrency developers on LinkedIn via fake employer profiles distributing RN Loader and RN Stealer malware through coding challenge scams. Slow Pisces DNS Infrastructure Analysis

Technical Tools & Security Enhancements

• Automating Azure App Services Token Decryption tool enables extraction and decoding of encrypted tokens from Azure environments by users with Contributor rights, aiding penetration testing and security assessments. Azure Token Decryption Automation
• Microsoft Sentinel Data Lake introduces unified, scalable data management with AI-powered detection and response, breaking down silos and lowering costs for enterprise security monitoring. Microsoft Sentinel Data Lake
• Enhanced Threat Intelligence Platform by Validin adds historical HTTPS banner data and artifact collection, improving threat hunting and infrastructure analysis, used to uncover Lazarus Group assets. Substantial Upgrades to Crawling History
• RMM Tools Misused by Ransomware Gangs detailed how legitimate remote monitoring tools like AnyDesk and Medusa are hijacked for persistence, lateral movement, and data theft in real attacks. Investigation of RMM Tools by Ransomware

Other Notable Threats & Techniques

• Homograph Attacks exploit visually similar non-Latin characters to bypass email security filters and impersonate trusted entities, leading to credential theft and malware delivery. The HomoGraph Illusion
• Steamlining Supply Chain Attacks: GitHub compromise of Toptal organization published multiple malicious npm packages designed to steal tokens and disrupt victims on Unix/Windows platforms. Toptal GitHub Organization Hijacked
• Mimo Expansion from Craft CMS to Magento and Docker involves advanced persistence, proxyjacking, and cryptomining, showing increasing sophistication by Mimo threat actors. Tracking Mimo’s Expansion
• SVF Botnet compromises Linux SSH servers to deploy Python-based DDoS bots communicating via Discord and proxy servers, enabling diverse flooding techniques. Attacks Targeting Linux SSH Servers
• SarangTrap Extortion Campaign targets Android and iOS users through hundreds of malicious apps and phishing domains posing as dating/social services to exfiltrate sensitive personal data. The Dark Side of Romance: SarangTrap

Threat Research | Weekly Recap – hendryadrian.com