LATEST THREAT INTELLIGENCE.
October 2025 Infostealer Trend Report
Description: This analysis provides insights into Infostealer malware trends for October 2025, focusing on distribution volume, methods, and disguise techniques. The data is collected through AhnLab's automated systems and analyzed for maliciousness and C2 information. Key findings include the prevalence of Rhadamanthys, ACRStealer, and LummaC2 as the most distributed Infostealers. Distribution methods have evolved, with threat actors now using legitimate websites to bypass search engine restrictions. The report highlights two significant trends: the mass distribution of a new Loader malware using DLL sideloading, and changes in LummaC2 Infostealer distribution patterns. The analysis also covers disguise techniques, targeted companies, and phishing email statistics related to Infostealers.
Created at: 2025-11-20T14:45:53.910000
Updated at: 2025-11-20T22:08:45.631000
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
Description: A critical vulnerability in Microsoft Windows Server Update Services (CVE-2025-59287) has been exploited to distribute ShadowPad malware. The attack targets Windows Servers with WSUS enabled, using PowerCat for initial access and system shell acquisition. ShadowPad, a backdoor used by Chinese APT groups, is installed using legitimate Windows utilities. The malware operates through DLL sideloading, with its core functionality contained in a .tmp file. Key configuration details include persistence mechanisms, injection targets, and C&C servers. The rapid weaponization of this vulnerability highlights the need for immediate security measures, including applying the latest Microsoft security update, reviewing WSUS server exposure, and auditing for suspicious activity.
Created at: 2025-11-20T14:36:36.895000
Updated at: 2025-11-20T22:03:48.659000
October 2025 Trends Report on Phishing Emails
Description: In October 2025, Trojans were the predominant threat in phishing email attachments, accounting for 47% of cases. The report provides statistics on threat types, distribution changes over six months, and file extensions used in phishing emails. It also includes information on Korean phishing emails, detailing case names, subjects, and attachment file names. Analysis of representative cases for different attachment formats (Script, Document, Compress) reveals the distribution of phishing pages and Remcos RAT malware. Document attachments were used to download additional malware, while compressed JS files in RAR format saw an increase in distribution. The report offers insights into recent phishing and malware trends, attachment distribution statistics, and detailed analysis of actual phishing email attacks.
Created at: 2025-11-20T14:45:53.134000
Updated at: 2025-11-20T22:02:18.869000
NKNShell Malware Distributed via VPN Website
Description: A South Korean VPN provider's website has been compromised to distribute malware, likely by the Larva-24010 threat actor active since 2023. The attack installs various backdoors including MeshAgent, gs-netcat, and a new Go-based backdoor called NKNShell. NKNShell uses NKN and MQTT protocols for C2 communication, allowing attackers to control infected systems and steal sensitive information. The malware distribution process involves a trojanized installer, PowerShell scripts, and multiple stages of payload downloads. Additional tools like SQLMap are also deployed. The attack targets Korean VPN users and showcases sophisticated techniques including AMSI bypass, UAC bypass attempts, and the use of blockchain-based networking protocols for evasion.
Created at: 2025-11-20T14:45:54.474000
Updated at: 2025-11-20T22:01:25.473000
WhatsApp compromise leads to Astaroth deployment
Description: A persistent malware distribution campaign targeting WhatsApp users in Brazil has been observed since September 24, 2025. The attack begins with a message sent using WhatsApp's 'View Once' option, delivering a ZIP archive containing malicious VBS or HTA files. When executed, these files launch PowerShell to retrieve second-stage payloads, including scripts that collect WhatsApp user data and an MSI installer that deploys the Astaroth banking trojan. The campaign has evolved over time, shifting from IMAP-based retrieval to HTTP-based communication with a remote C2 server. The attack leverages Selenium Chrome WebDriver and WPPConnect JavaScript library to hijack WhatsApp Web sessions, harvest contact information and session tokens, and facilitate spam distribution. The campaign has affected over 250 customers, with 95% of impacted devices located in Brazil.
Created at: 2025-11-20T19:42:41.056000
Updated at: 2025-11-20T22:00:00.067000
Pivot to Multi-Vector Attacks
Description: APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They compromised a Taiwanese digital marketing firm, affecting over 1,000 domains. APT24 uses advanced techniques like control flow flattening, fingerprinting, and covert data exfiltration. The malware integrates with Cobalt Strike Beacon and employs DLL Search Order Hijacking for execution. The campaign demonstrates the actor's persistent and adaptive capabilities, highlighting the growing sophistication of Chinese cyber threats.
Created at: 2025-11-20T19:42:45.597000
Updated at: 2025-11-20T21:55:50.878000
Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
Description: A new Android banking trojan called Sturnus has been identified, featuring advanced capabilities including full device takeover and the ability to bypass encrypted messaging apps. The malware can harvest banking credentials, provide remote control to attackers, and monitor communications on WhatsApp, Telegram, and Signal. Currently in a development phase, Sturnus is targeting financial institutions in Southern and Central Europe. It uses a complex communication protocol with its command-and-control server, employing both WebSocket and HTTP channels. The malware's capabilities include data exfiltration through HTML overlays and keylogging, messaging app monitoring, remote control via VNC, and extensive environment monitoring. Sturnus represents a sophisticated threat to financial security and privacy.
Created at: 2025-11-20T19:42:43.454000
Updated at: 2025-11-20T21:52:51.816000
Mirai: The IoT Botnet
Description: Mirai, a notorious botnet targeting IoT devices, has evolved since its 2016 debut. Initially known for massive DDoS attacks, newer variants employ sophisticated techniques like UPX packing and common network utilities for evasion and adaptability. Modern Mirai samples extend beyond DDoS, focusing on data exfiltration and long-term persistence. The analysis compares a June 2025 variant with the original, highlighting differences in execution, network behavior, and file characteristics. The new variant demonstrates increased stealth, modularity, and versatility, making it a more significant threat in the interconnected device landscape. Prevention strategies include updated antivirus software, avoiding suspicious links, and regular system and network monitoring.
Created at: 2025-10-21T21:49:30.735000
Updated at: 2025-11-20T21:01:14.636000
GlassWorm: Self-Propagating VSCode Extension Worm
Description: GlassWorm is a groundbreaking self-propagating worm targeting VS Code extensions on OpenVSX marketplace. It employs invisible Unicode characters to conceal malicious code and utilizes a blockchain-based command and control infrastructure on Solana. The worm compromised seven OpenVSX extensions with 35,800 downloads, harvesting NPM, GitHub, and Git credentials, targeting cryptocurrency wallets, deploying SOCKS proxy servers, and installing hidden VNC servers. It spreads exponentially through the developer ecosystem using stolen credentials. The worm employs a triple-layer C2 setup involving Solana blockchain, direct IP connection, and Google Calendar. A new infected extension was also detected in Microsoft's VSCode marketplace. The campaign remains active, necessitating immediate security measures and audits of installed extensions.
Created at: 2025-10-21T16:50:52.481000
Updated at: 2025-11-20T19:01:21.265000
Privacy and Prizes: Rewards from a Malicious Browser Extension
Description: A unique phishing campaign has been identified, urging users to install a Chrome extension through an attached file. The threat actor entices victims with the promise of a $50,000 prize and privacy protection. The malicious extension, disguised as a MAC spoofer, actually captures user credentials when logging into various services. The campaign uses social engineering techniques and a seemingly legitimate domain to appear trustworthy. The extension is manually installed, bypassing the Chrome Web Store. Analysis of the extension's files revealed its true purpose of sending captured information to the attacker's server. This case highlights the importance of human analysis in detecting threats that bypass automated security solutions.
Created at: 2025-10-21T16:05:42.513000
Updated at: 2025-11-20T16:04:19.455000
