LATEST THREAT INTELLIGENCE.
Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government
Description: A Pakistan-linked APT group, Transparent Tribe (APT36), is targeting Indian Government and Defense personnel using 'Pahalgam Terror Attack' themed documents. The campaign involves credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force. The phishing PDF documents contain embedded links leading to fake login pages. A PowerPoint add-on file with malicious macros has been identified, which drops the Crimson RAT payload. The campaign exploits sensitive geopolitical issues to maximize impact and extract intelligence. Multiple phishing domains were created shortly after the attack, impersonating various Indian government entities. The potential impact includes disruption of sensitive operations, information manipulation, and data breaches.
Created at: 2025-04-30T21:24:45.659000
Updated at: 2025-04-30T21:30:03.717000
Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer
Description: Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packaged executable. This payload injects into mstsc.exe and deploys Stealerium, an information-stealing malware that exfiltrates sensitive data from browsers, cryptocurrency wallets, and popular applications. The malware employs anti-analysis techniques, creates a hidden directory, and registers with a command and control server. It steals credentials from various sources, including browsers, gaming platforms, and messaging apps, while also capturing webcam images and Wi-Fi passwords.
Created at: 2025-04-30T17:22:40.433000
Updated at: 2025-04-30T21:25:54.688000
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
Description: TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems.
Created at: 2025-04-30T15:36:19.969000
Updated at: 2025-04-30T21:17:25.501000
PhaaS actor uses DoH and DNS MX to dynamically distribute phishing
Description: Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.
Created at: 2025-03-31T19:56:09.135000
Updated at: 2025-04-30T19:00:52.422000
Analysis: SmokeLoader malware distribution
Description: A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut downloads additional files, leading to the execution of PowerShell and Mshta to retrieve the Emmenhtal loader. This loader, disguised as a modified Windows utility, deploys SmokeLoader while maintaining a stealthy execution flow. SmokeLoader, a modular malware, can download additional payloads, steal credentials, and execute remote commands. The campaign demonstrates the evolving tactics of financially motivated threat actors, leveraging LOLBAS techniques and commercial protection tools for obfuscation.
Created at: 2025-03-31T19:05:16.816000
Updated at: 2025-04-30T19:00:52.422000
Pentagon Stealer: Go and Python Malware Targeting Crypto
Description: Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sensitive information. Initially spread through typosquatting, it has appeared under various names like 1312, Acab, Vilsa, and BLX stealer. The Golang version expanded its capabilities to target more browsers. Pentagon Stealer uses HTTP requests for C2 communication and is often part of larger attack chains. While relatively simple, its persistent development and integration into various campaigns make it an ongoing threat to users' financial and personal data.
Created at: 2025-04-30T08:17:57.646000
Updated at: 2025-04-30T08:38:04.920000
HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage
Description: The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware performs system profiling, captures screenshots, and exfiltrates targeted files. It includes a crypto clipper module and is controlled via a dedicated C2 user panel. Advertised on various forums, it employs geofencing, domain-matching, and comprehensive data theft techniques. The stealer is likely a rebranded version of earlier SHARP and TX Stealers, with minimal innovation beyond updated communication methods.
Created at: 2025-04-30T08:20:19.845000
Updated at: 2025-04-30T08:32:40.430000
Fake Zoom Ends in BlackSuit Ransomware
Description: A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.
Created at: 2025-03-31T05:40:35.114000
Updated at: 2025-04-30T05:03:26.069000
Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams
Description: This intelligence report analyzes common techniques, tactics, and procedures (TTPs) used by threat actors in investment scams, particularly focusing on the abuse of DNS mechanisms. The actors often use registered domain generation algorithms (RDGAs) to create large numbers of domains, embed similar web forms to collect user data, hide activity through traffic distribution systems (TDS), and leverage fake news with celebrity endorsements. The report details two specific actors, Reckless Rabbit and Ruthless Rabbit, examining their distinct RDGA patterns and campaign strategies. It highlights the importance of DNS in detecting and blocking these scams at scale, as actors exploit DNS to build and maintain their infrastructure.
Created at: 2025-04-29T21:23:00.586000
Updated at: 2025-04-29T21:39:55.739000
MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks
Description: MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.
Created at: 2025-04-29T18:01:04.133000
Updated at: 2025-04-29T21:35:59.474000
