LATEST THREAT INTELLIGENCE.
Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses
Description: Makop, a ransomware strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated GuLoader, a downloader trojan, to deliver secondary payloads and bypass security measures. The attack chain typically involves RDP exploitation, followed by network scanning, lateral movement, and privilege escalation before encryption. The majority of attacks (55%) target organizations in India. Makop operators use off-the-shelf tools and multiple local privilege escalation vulnerabilities to maximize their impact. The inclusion of a tailored Quick Heal AV uninstaller indicates adaptation to specific regional targets.
Created at: 2025-12-09T17:09:27.861000
Updated at: 2025-12-09T17:32:32.020000
React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics
Description: The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulnerability stems from improper input deserialization in RSC payloads, allowing arbitrary code execution. Exploitation has been observed across various cloud platforms, targeting containerized workloads. The exploit's mechanics involve crafting a malicious payload with self-referencing gadgets to bypass security checks during deserialization. Other frameworks using RSC, such as Waku and Vite, are also vulnerable. Urgent patching and comprehensive detection measures are crucial for affected systems.
Created at: 2025-12-09T17:08:13.495000
Updated at: 2025-12-09T17:24:01.482000
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
Description: A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked over 131,000 attack attempts since November 24, 2025. Concurrently, a separate attack exploiting an ICTBroadcast vulnerability (CVE-2025-2611) is being used to spread the 'Frost' DDoS botnet. This botnet combines DDoS capabilities with spreader logic, including exploits for fifteen CVEs. The attacks appear to be part of a small, targeted operation, given the limited number of vulnerable internet-exposed systems.
Created at: 2025-12-09T12:50:07.844000
Updated at: 2025-12-09T12:51:16.808000
Sharpening the knife: strategic evolution of GOLD BLADE
Description: GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized resumes. Their operations follow cycles of dormancy and sudden activity bursts, introducing new tradecraft in each wave. GOLD BLADE has modified its RedLoader infection chain multiple times, implemented a Bring Your Own Vulnerable Driver approach, and developed a custom ransomware called QWCrypt. The group's targeting has narrowed to focus primarily on Canadian organizations across various sectors. Their sophisticated tactics and continual refinement demonstrate a level of operational maturity uncommon among financially motivated actors.
Created at: 2025-12-06T07:31:57.447000
Updated at: 2025-12-09T12:48:36.469000
How Lazarus's IT Workers Scheme Was Caught Live on Camera
Description: This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruits and used sandboxed environments to monitor the operators' activities in real-time. The investigation revealed the group's tactics, including identity theft, social engineering, and the use of AI tools. The operators displayed poor operational security, sharing infrastructure and making repeated mistakes. The report provides insights into the group's recruitment methods, toolset, and communication patterns, offering a rare inside view of their operations.
Created at: 2025-12-09T12:38:10.382000
Updated at: 2025-12-09T12:43:20.570000
AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
Description: An undocumented Linux backdoor called GhostPenguin was discovered using AI-driven threat hunting. This multi-threaded C++ malware provides remote shell access and file system operations over an encrypted UDP channel. It uses a structured handshake mechanism and synchronizes threads for registration, heartbeat signaling, and command delivery. The discovery involved analyzing zero-detection Linux samples from VirusTotal, extracting artifacts, and using AI for automated profiling. Custom YARA rules and queries helped surface this evasive threat. Analysis revealed GhostPenguin is still in development, with debug artifacts present. The malware's comprehensive capabilities include remote shell access, file manipulation, and directory operations.
Created at: 2025-12-08T16:35:09.029000
Updated at: 2025-12-09T12:35:22.047000
Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors
Description: A critical vulnerability dubbed 'React2Shell' (CVE-2025-55182) in React Server Components is being actively exploited by Chinese threat actors. The flaw affects multiple versions and packages, allowing arbitrary code execution through crafted HTTP requests. Approximately 39% of scanned cloud environments contain vulnerable React instances, with exploitation attempts showing a near 100% success rate. The vulnerability impacts popular frameworks and libraries bundling react-server. Chinese state-sponsored groups, including Earth Lamia and Jackpot Panda, are reportedly involved in the attacks. Organizations are urged to identify vulnerable assets, apply patches immediately, and block malicious IP addresses associated with exploitation attempts.
Created at: 2025-12-08T17:25:04.500000
Updated at: 2025-12-09T12:33:51.828000
LummaStealer dropped via fake updates from itch.io and Patreon
Description: A malicious campaign targeting indie game platforms like Itch.io and Patreon has been discovered. Attackers are using newly created accounts to spam comments on legitimate games, claiming to offer game updates through Patreon links. These links lead to downloads containing LummaStealer malware. The malware uses multiple anti-analysis techniques, including checks for virtual machines, specific usernames, and processes associated with malware analysis. The payload is delivered through a nexe-compiled JavaScript file, which drops and loads a DLL containing the LummaStealer variant. Despite efforts to remove malicious accounts, new ones continue to appear, indicating an ongoing campaign.
Created at: 2025-12-08T17:25:04.908000
Updated at: 2025-12-09T12:32:48.157000
Campaign uses ClickFix page to push NetSupport RAT
Description: The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.
Created at: 2025-12-08T17:41:04.344000
Updated at: 2025-12-09T12:31:32.376000
CastleLoader Activity Clusters Target Multiple Industries
Description: Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.
Created at: 2025-12-09T05:39:34.614000
Updated at: 2025-12-09T12:29:36.690000
