LATEST THREAT INTELLIGENCE.

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Description: Interlock Ransomware has recently targeted National Defense Corporation and its subsidiaries, impacting the defense industrial base supply chain. The group's attack on AMTEC, a manufacturer of ammunition and explosives, has exposed sensitive information about global defense contractors and their supply chains. This incident highlights the cascading effects of such attacks on military operations, national security, and intellectual property. The compromised data includes details about contracts, logistics, and distribution networks of major defense corporations. The attack underscores the critical need for robust cybersecurity measures in the defense sector, especially given the potential involvement of state-sponsored actors and the implications for geopolitical influence and espionage.

Created at: 2025-05-16T17:20:36.674000

Updated at: 2025-06-15T17:02:49.553000

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

Description: An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure shares operational fingerprints, including reused SSH authentication keys and consistent ASN usage, allowing related assets to be linked. The campaign primarily targets the National Fishing Company of Kuwait, automotive insurance sector, and Zain telecommunications. The actors use brand-inspired domain names and transliterations rather than direct typosquatting. Mobile payment lures targeting Zain customers have also been observed, potentially enabling further social engineering attacks.

Created at: 2025-05-16T16:33:01.453000

Updated at: 2025-06-15T16:02:31.429000

Mass Scanning and Exploit Campaigns

Description: Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass scanning and exploit campaigns targeting multiple sectors were observed, with technology and financial organizations being the most common targets. A specific IP address linked to SuperBlack ransomware operators was found distributing critical exploits. The analysis also uncovered a potential rebranding of underground hosting services and shifts in IP addresses between different ASNs, suggesting relationships between providers.

Created at: 2025-05-16T08:51:13.169000

Updated at: 2025-06-15T08:05:52.460000

Part 2: Compromised WordPress Pages and Malware Campaigns

Description: This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.

Created at: 2025-05-16T08:51:12.261000

Updated at: 2025-06-15T08:05:52.460000

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

Description: A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure, remaining passive until further commands are received. An advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5 proxies and using XOR-based encryption was uncovered. The campaign, known as KongTuke, uses compromised websites as initial access points. The malware employs anti-VM mechanisms, collects system information, and establishes persistence. It includes features for command execution, payload dropping, and covert communication. The RAT's functionality includes detailed system reconnaissance, remote command execution, and network traffic tunneling.

Created at: 2025-05-16T08:51:10.519000

Updated at: 2025-06-15T08:05:52.460000

Operation RoundPress targeting high-value webmail servers

Description: Operation RoundPress is a Russia-aligned espionage campaign targeting webmail servers through XSS vulnerabilities. The attackers, believed to be the Sednit group, use spearphishing emails to exploit vulnerabilities in Roundcube, Horde, MDaemon, and Zimbra webmail software. Their goal is to steal confidential data from specific email accounts. The operation expanded its targets in 2024, using both known and zero-day vulnerabilities. Victims include government entities and defense companies, primarily in Eastern Europe. The attackers employ various JavaScript payloads (SpyPress) to steal credentials, exfiltrate contacts and emails, and in some cases bypass two-factor authentication. The campaign demonstrates the ongoing threat to organizations with outdated webmail servers.

Created at: 2025-05-15T14:08:15.178000

Updated at: 2025-06-14T14:03:39.630000

Web Scanning SonicWall for CVE-2021-20016 - Update

Description: There has been a significant increase in scanning activity targeting SonicWall devices, specifically looking for CVE-2021-20016 vulnerability. The activity has grown tenfold over the past 14 days, with multiple sources reporting probes related to two specific URLs. The most active IP addresses originate from the 141.98.80.0/24 subnet. The diary provides a list of indicator IP addresses involved in the scanning activity. This surge in scanning efforts highlights the ongoing threat landscape surrounding the SonicWall vulnerability, emphasizing the importance of patching and monitoring for potential exploitation attempts.

Created at: 2025-05-15T11:58:28.760000

Updated at: 2025-06-14T11:00:25.937000

Private Contractor Linked to Multiple Chinese State-Sponsored Groups

Description: A recent leak from I-SOON, a Chinese IT and cybersecurity company, has revealed connections to several state-sponsored cyber groups including RedAlpha, RedHotel, and Poison Carp. The leak exposes a sophisticated espionage network involving the theft of communications data for individual tracking. Analysis confirms operational and organizational ties between I-SOON and these groups, highlighting I-SOON's role as a digital quartermaster providing shared cyber capabilities in China's aggressive cyber ecosystem. Despite the leak, I-SOON is expected to continue operations with minor adjustments. The revelation enhances understanding of Chinese cyber espionage and may impact future US legal actions against I-SOON operatives.

Created at: 2025-06-13T19:49:19.039000

Updated at: 2025-06-13T20:27:28.555000

May 2025 Security Issues in Korean & Global Financial Sector

Description: This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.

Created at: 2025-06-13T14:47:05.019000

Updated at: 2025-06-13T20:23:18.743000

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Description: Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.

Created at: 2025-06-13T14:47:04.385000

Updated at: 2025-06-13T20:21:07.233000