LATEST THREAT INTELLIGENCE.
Mass Scanning and Exploit Campaigns
Description: Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass scanning and exploit campaigns targeting multiple sectors were observed, with technology and financial organizations being the most common targets. A specific IP address linked to SuperBlack ransomware operators was found distributing critical exploits. The analysis also uncovered a potential rebranding of underground hosting services and shifts in IP addresses between different ASNs, suggesting relationships between providers.
Created at: 2025-05-16T08:51:13.169000
Updated at: 2025-06-15T08:05:52.460000
Part 2: Compromised WordPress Pages and Malware Campaigns
Description: This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.
Created at: 2025-05-16T08:51:12.261000
Updated at: 2025-06-15T08:05:52.460000
Yet Another NodeJS Backdoor (YaNB): A Modern Challenge
Description: A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure, remaining passive until further commands are received. An advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5 proxies and using XOR-based encryption was uncovered. The campaign, known as KongTuke, uses compromised websites as initial access points. The malware employs anti-VM mechanisms, collects system information, and establishes persistence. It includes features for command execution, payload dropping, and covert communication. The RAT's functionality includes detailed system reconnaissance, remote command execution, and network traffic tunneling.
Created at: 2025-05-16T08:51:10.519000
Updated at: 2025-06-15T08:05:52.460000
Operation RoundPress targeting high-value webmail servers
Description: Operation RoundPress is a Russia-aligned espionage campaign targeting webmail servers through XSS vulnerabilities. The attackers, believed to be the Sednit group, use spearphishing emails to exploit vulnerabilities in Roundcube, Horde, MDaemon, and Zimbra webmail software. Their goal is to steal confidential data from specific email accounts. The operation expanded its targets in 2024, using both known and zero-day vulnerabilities. Victims include government entities and defense companies, primarily in Eastern Europe. The attackers employ various JavaScript payloads (SpyPress) to steal credentials, exfiltrate contacts and emails, and in some cases bypass two-factor authentication. The campaign demonstrates the ongoing threat to organizations with outdated webmail servers.
Created at: 2025-05-15T14:08:15.178000
Updated at: 2025-06-14T14:03:39.630000
Web Scanning SonicWall for CVE-2021-20016 - Update
Description: There has been a significant increase in scanning activity targeting SonicWall devices, specifically looking for CVE-2021-20016 vulnerability. The activity has grown tenfold over the past 14 days, with multiple sources reporting probes related to two specific URLs. The most active IP addresses originate from the 141.98.80.0/24 subnet. The diary provides a list of indicator IP addresses involved in the scanning activity. This surge in scanning efforts highlights the ongoing threat landscape surrounding the SonicWall vulnerability, emphasizing the importance of patching and monitoring for potential exploitation attempts.
Created at: 2025-05-15T11:58:28.760000
Updated at: 2025-06-14T11:00:25.937000
Private Contractor Linked to Multiple Chinese State-Sponsored Groups
Description: A recent leak from I-SOON, a Chinese IT and cybersecurity company, has revealed connections to several state-sponsored cyber groups including RedAlpha, RedHotel, and Poison Carp. The leak exposes a sophisticated espionage network involving the theft of communications data for individual tracking. Analysis confirms operational and organizational ties between I-SOON and these groups, highlighting I-SOON's role as a digital quartermaster providing shared cyber capabilities in China's aggressive cyber ecosystem. Despite the leak, I-SOON is expected to continue operations with minor adjustments. The revelation enhances understanding of Chinese cyber espionage and may impact future US legal actions against I-SOON operatives.
Created at: 2025-06-13T19:49:19.039000
Updated at: 2025-06-13T20:27:28.555000
May 2025 Security Issues in Korean & Global Financial Sector
Description: This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.
Created at: 2025-06-13T14:47:05.019000
Updated at: 2025-06-13T20:23:18.743000
From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
Description: Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.
Created at: 2025-06-13T14:47:04.385000
Updated at: 2025-06-13T20:21:07.233000
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
Description: Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths like data extortion and access sales. Anubis has claimed victims in multiple sectors including healthcare and construction, across regions such as Australia, Canada, Peru, and the U.S. The ransomware uses spear-phishing for initial access, employs command-line execution, privilege escalation, and shadow copy deletion. Its encryption algorithm is similar to EvilByte/Prince ransomware, using Elliptic Curve Integrated Encryption Scheme (ECIES).
Created at: 2025-06-13T14:04:22.112000
Updated at: 2025-06-13T20:18:33.672000
Serverless Tokens in the Cloud: Exploitation and Detections
Description: This article explores the security implications of serverless authentication across major cloud platforms. It details how attackers target serverless functions to exploit vulnerabilities arising from insecure code and misconfigurations. The mechanics of serverless authentication are explained for AWS Lambda, Google Cloud Functions, and Azure Functions. The article outlines potential attack vectors for token exfiltration, including SSRF and RCE, and provides simulations demonstrating how tokens can be extracted and misused. Detection strategies are discussed, focusing on identifying serverless identities and anomalous behavior. Prevention measures are suggested, emphasizing the principle of least privilege and robust input validation. The article concludes by stressing the importance of understanding serverless credential mechanics and implementing proactive security measures to protect cloud environments.
Created at: 2025-06-13T14:04:22.635000
Updated at: 2025-06-13T18:59:12.439000
