Threat Research | Weekly Recap [31 Aug 2025]

hendryadrian.com

hendryadrian.com

Ransomware & extortion

• Cloud-first extortion: actor Storm-0501 shifted from endpoint ransomware to rapid cloud data theft/destruction using Entra Connect, AzCopy and forged federated domains. Storm-0501 cloud ransomware
• RaaS activity and rebrands: multiple groups (including Lynx/Sinobi, NightSpire, Interlock, Underground, Cephalus) continue double-extortion, RDP and credential abuse, DLL sideloading, and Tor/Proton leak sites. Dark web profile: Lynx ransomware
• Operational playbooks: AttackIQ published emulations of Warlock to help validate defenses against SharePoint exploitation and post‑compromise behaviors. Emulating Warlock ransomware

State-sponsored espionage & advanced intrusions

• Diplomatic targeting: PRC-nexus UNC6384 hijacked captive-portal redirects to deliver signed downloaders and the in-memory SOGU.SEC backdoor. UNC6384 captive-portal campaign
• Regional APTs: APT37 (Operation HanKook Phantom) and TAOTH used fileless PowerShell loaders, XOR-encrypted payloads and cloud C2s to target South Korea and Eastern Asia. Operation HanKook Phantom (APT37)
• Wide-scale infrastructure compromise: Chinese state actors exploited edge routers and trusted-provider links to pivot and exfiltrate (GRE/IPsec, on‑box PCAP collection). CISA advisory on Chinese APT compromises
• Driver-based EDR bypass: Silver Fox abused a signed vulnerable driver (WatchDog/amsdk.sys) to terminate protected processes and deliver ValleyRAT. Silver Fox kernel/driver abuse

RATs, stealers and multipurpose backdoors

• ClickFix social engineering: Lazarus used fake recruitment lures and a ClickFix flow to push BeaverTail and InvisibleFerret across Windows/macOS. Lazarus ClickFix malware deliveries
• Cross‑platform backdoors & stealers: novel Linux backdoor MystRodX (DNS/ICMP triggers), trojanized Electron AppSuite PDF backdoor, and macOS Atomic AMOS stealer now with persistent backdoor. MystRodX covert backdoor
• Windows and Android threats: GodRAT (steganography, plugins), the TinkyWinkey keylogger, and advanced Android banking trojan Hook v3 with overlays and screen streaming. GodRAT analysis
• Stealers & loaders: Python-based Inf0s3c Stealer, UpCrypter JS droppers delivering multiple RATs, and TransferLoader/RomCom infra linkups enabling credential capture and follow‑on access. Inf0s3c stealer

Supply‑chain & repository attacks

• npm compromise & AI tooling abuse: attacker injected malicious Nx packages (stolen publish token) that abused local AI CLI tools to harvest tokens/keys and exfiltrate to public repos. Nx packages compromised
• Package impersonation: trojan npm package nodejs-smtp impersonated nodemailer and rewrites Electron ASARs to redirect crypto wallet transfers. Wallet‑draining npm impersonation
• Marketplace & extension abuse: VS Code name-reuse loophole enabled malicious extension impersonation; popular Chrome VPN extension secretly captured screenshots of users. VS Code extension name reuse

Vulnerabilities, exploitation chains & EDR evasion

• Sitecore full‑chain RCE: pre-auth HTML cache poisoning chained with insecure deserialization and ItemService enumeration to reach RCE on patched instances. Sitecore cache poisoning → RCE
• Archive & extraction dangers: two WinRAR flaws (CVE‑2025‑6218, CVE‑2025‑8088) enable directory traversal and NTFS ADS to hide payloads; actively exploited. WinRAR traversal & ADS vulns
• Local service auth bypass: critical WebSocket auth bypass in Claude Code extensions (CVE‑2025‑52882) allowed sites to access local MCP servers and run code. Claude Code WebSocket bypass
• EDR evasion techniques: novel PowerShell loader using CallWindowProcA to invoke shellcode and legitimate tool abuse (Velociraptor) for remote access; defenders can use Wazuh and emulation to detect such behaviors. CallWindowProcA shellcode technique

Phishing, scams & social engineering

• Event‑centric fraud: attackers target fans and attendees—e.g., Formula 1—using deepfakes, fake hospitality apps, NFT/crypto scams and telemetry interception; emphasize verified channels. F1 fandom threats
• Regional targeted scams: festive and sector campaigns—Ganesh Chaturthi online scams, TASPEN Android campaign against Indonesian seniors, and SikkahBot banking fraud targeting students. Ganesh Chaturthi scams
• Phishing evolution & AI targeting: attackers use layered evasion in phishing kits, contact‑form social engineering (ZipLine), multi‑stage droppers, and even prompt‑injection to fool AI defenses. Phishing kits & evasion tactics

C2, covert channels & exfiltration

• DNS & covert channels: DNS tunneling (TXT, encoded queries), ICMP triggers and tools like iodine/dnscat2 remain high‑stealth exfil options; restrict resolvers and inspect DNS behavior. DNS tunneling risks & mitigations
• VPS/cloud staging & exfil: actors increasingly use VPS providers, Cloudflare Workers and public cloud services to stage tools, persist and exfiltrate data (OracleIV, Velociraptor abuse, Storm-0501). OracleIV dockerized botnet & VPS abuse

IoT, botnets & network threats

• Mirai lineage: Mirai‑based “Gayfemboy” botnet exploits router/VPN vendor flaws to deliver downloaders, miners and DDoS/backdoor modules at scale. Gayfemboy Mirai‑based botnet

Trends, detection & analyst resources

• Macro trends: H1 2025 saw a ~16% rise in disclosed CVEs, resurgence of legacy malware, growth in RATs and mobile threats, and continued evolution of affiliate ransomware models. H1 2025 malware & vuln trends
• Practical defenses & tooling: new detections and operational guidance — Wazuh rules for defense‑evasion, AttackIQ emulations for ransomware, Validin PTR scanning and published IoC sets to accelerate hunting. Detecting defense evasion with Wazuh

Threat Research | Weekly Recap – hendryadrian.com