LATEST THREAT INTELLIGENCE.
China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability
Description: A critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited by a China-nexus threat actor, UNC5221. The exploitation targets internet-facing EPMM deployments across various sectors including healthcare, telecommunications, and government. The attackers utilize unauthenticated remote code execution to gain initial access, followed by the deployment of KrustyLoader malware for persistence. They leverage hardcoded MySQL credentials to exfiltrate sensitive data from the EPMM database. The threat actor also uses the Fast Reverse Proxy (FRP) tool for network reconnaissance and lateral movement. The compromised systems span multiple countries in Europe, North America, and Asia-Pacific, indicating a global espionage campaign likely aligned with Chinese state interests.
Created at: 2025-05-21T23:03:24.734000
Updated at: 2025-06-20T23:02:09.595000
Cybercriminals Abusing Vercel to Deliver Remote Access Malware
Description: A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disguised executable. Once executed, the malware installs and connects to a LogMeIn server, allowing remote access and control of the compromised machine. Over 28 distinct campaigns targeting more than 1,271 users have been observed in the past two months. The technique's effectiveness stems from the use of a legitimate platform, a genuine remote access tool, and social engineering tactics. Recommendations include monitoring suspicious Vercel subdomains, educating employees about fake support scams, and implementing strict controls for remote access software installations.
Created at: 2025-06-20T19:26:04.653000
Updated at: 2025-06-20T21:31:22.537000
TxTag Takedown: Busting Phishing Email Schemes
Description: A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe unpaid tolls. The scheme uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The attackers utilize the GovDelivery system to increase legitimacy, despite using Indiana's instance for a Texas-related scam. The phishing link leads to a fake TxTag website, where users are prompted to enter personal information and credit card details. The campaign exploits fear of consequences and mimics a well-known service, highlighting the importance of integrating human expertise into email security processes to identify and mitigate threats that bypass conventional malicious indicators.
Created at: 2025-06-20T19:26:04.265000
Updated at: 2025-06-20T21:30:06.278000
Threat actor Banana Squad exploits GitHub repos in new campaign
Description: ReversingLabs researchers have uncovered a new campaign by the threat actor Banana Squad, involving over 60 GitHub repositories containing hundreds of trojanized Python files. The attackers create fake user accounts to host malicious repositories that mimic legitimate ones, using a technique that hides malicious code off-screen with long spaces. The campaign primarily uses the domain dieserbenni[.]ru, with a new domain 1312services[.]ru detected recently. The trojanized files employ various encoding and encryption methods to conceal malicious payloads. This campaign demonstrates an increasing trend in sophisticated open-source software supply chain attacks targeting platforms like GitHub.
Created at: 2025-06-20T19:26:03.627000
Updated at: 2025-06-20T21:28:48.668000
BERT RANSOMWARE - THE RAVEN FILE
Description: BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware's infrastructure is linked to a Russian firm, suggesting potential ties to the region.
Created at: 2025-06-20T19:25:58.094000
Updated at: 2025-06-20T21:27:30.698000
Caught in the Act: Uncovering SpyNote in Unexpected Places
Description: Multiple samples of SpyNote, a sophisticated Android spyware, were discovered in open directories, disguised as legitimate apps like Google Translate, Temp Mail, and Deutsche Postbank. The malware exploits accessibility services and device administrator privileges to steal sensitive information from infected devices. Samples were found on various servers, including AWS and SonderCloud Limited, with different command and control (C2) infrastructures. The discovery highlights the ongoing threat of SpyNote, especially after its source code leak in late 2022, and emphasizes the importance of proactive threat detection and analysis.
Created at: 2025-06-20T19:26:02.648000
Updated at: 2025-06-20T21:25:09.918000
DMV-Themed Phishing Campaign Targeting U.S. Citizens
Description: A sophisticated phishing campaign impersonating U.S. state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensive information. Technical analysis revealed shared infrastructure, consistent domain naming, and indicators of a China-based threat actor. The campaign used spoofed SMS numbers, often from the Philippines, and email addresses from obscure domains. Phishing websites followed a pattern using state IDs and specific TLDs. Infrastructure analysis showed connections to known malicious IP addresses and Chinese DNS providers. The campaign's widespread impact prompted alerts from multiple states and federal authorities.
Created at: 2025-06-20T19:26:02.114000
Updated at: 2025-06-20T21:24:09.697000
Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to Users
Description: A SpyLoan application called 'RapiPlata' was identified on a victim's device, having been downloaded by over 150,000 users from both Google Play and Apple App Store. The app, which ranked in the top 20 finance category in Colombia, had extensive access to sensitive user data, including SMS messages, call logs, calendar events, and installed applications. It uploaded this data to its servers, posing significant risks to users' privacy and financial security. The app's malicious behavior included harassing messages, unauthorized loan approvals, and data theft. Despite its removal from official app stores, it remains accessible through third-party websites. The app is part of a larger SpyLoan malware operation, with similarities to previously identified malicious apps.
Created at: 2025-06-20T19:26:01.606000
Updated at: 2025-06-20T21:22:33.170000
Crypto Phishing Applications On The Play Store
Description: An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds. The apps share common patterns, including embedded C&C URLs in privacy policies and similar package names. They are distributed through compromised developer accounts previously used for legitimate apps. Two main types were identified: those using the Median framework and those directly loading phishing URLs into WebViews. The campaign demonstrates a coordinated operation with a large-scale phishing infrastructure linked to over 50 domains.
Created at: 2025-06-20T19:25:58.588000
Updated at: 2025-06-20T21:20:53.246000
Hiding in GitHub
Description: An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and custom XOR operations. The campaign targets cryptocurrency users, specifically those using hardware wallets. The malware is distributed through DMG files and ZIP archives, containing both x64 and ARM64 versions of AMOS. The attackers use multiple domains for command and control, and the malware performs checks to detect virtual environments.
Created at: 2025-06-20T19:25:55.960000
Updated at: 2025-06-20T21:15:40.206000