This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.
Ransomware Ecosystem in Flux
Coveware's latest analysis reveals a significant transformation in the ransomware threat landscape as of Q1 2025. The once-dominant Ransomware-as-a-Service (RaaS) model is unraveling due to intensified law enforcement actions, internal discord, and operational setbacks.
Key Insights:
Disintegration of Major RaaS Groups: Prominent groups like LockBit, BlackCat/ALPHV, and Black Basta have collapsed, plagued by internal conflicts and increased scrutiny. Leaked communications from Black Basta highlight challenges in targeting, risk assessment, and evasion of sanctions.
Emergence of New Threat Actors: The void left by these groups is being filled by unaffiliated extortionists, nascent ransomware brands with ties to espionage and hacktivism, and a few remnants of traditional ransomware operations.
Operational Missteps: Recent incidents, such as Clop's underwhelming Cleo campaign and a poorly executed Oracle Cloud SSO breach by a BreachForums actor, indicate a decline in the sophistication and monetization strategies of threat actors.
Rise of Phantom Scams: The appearance of fraudulent ransom notes, like those falsely attributed to BianLian, underscores a trend toward deceptive tactics as traditional extortion methods wane.
Increased Exposure and Arrests: Enhanced operational security measures and international cooperation have led to the identification and apprehension of several threat actors, diminishing the perceived anonymity that once shielded cybercriminals.
Further Reading: Coveware
Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources
Unit 42 researchers have identified a novel obfuscation technique employed by threat actors, wherein malicious payloads are concealed within bitmap resources embedded in seemingly benign 32-bit .NET applications. This method leverages steganography to initiate a multi-stage execution chain, ultimately deploying final payloads such as Agent Tesla, RemcosRAT, or XLoader.
Key Insights:
Steganographic Embedding: Malware is hidden within bitmap resources of .NET executables, allowing it to evade traditional detection mechanisms.
Malspam Distribution: Campaigns have been observed targeting sectors like finance in Türkiye and logistics in Asia, using localized email subjects and attachments to increase credibility.
Multi-Stage Execution: Upon execution, the infected application extracts and deobfuscates embedded payloads, loading them as dynamic-link libraries before executing the final malicious code.
Advanced Obfuscation Techniques: Additional methods such as metadata obfuscation, opcode replacement, and control flow manipulation are used to hinder static analysis and reverse engineering.
Further Reading: Unit 42
New Tool Can Trick Windows into Disabling Microsoft Defender
Security researchers have discovered a new, publicly available tool called "DefendNot" that can manipulate Windows systems into effectively disabling Microsoft Defender, the built-in antivirus software. This tool doesn't exploit vulnerabilities but instead uses legitimate system administration features in unintended ways.
Key Insights for Security Teams:
Abuse of Admin Privileges: Highlights the critical importance of least privilege principles and monitoring privileged accounts.
Bypasses Traditional Defenses: May evade detection by traditional security solutions that primarily look for malware signatures or exploit activity.
Focus on Tamper Protection: Underscores the importance of enabling and closely monitoring tamper protection features within Microsoft Defender.
Need for Behavioral Monitoring: Organizations should emphasize behavioral monitoring and anomaly detection to identify suspicious activity.
Tool is Publicly Available: Means threat actors could potentially incorporate it into their attack chains.
Further Reading: BleepingComputer
NIST Proposes Metric to Identify Likely Exploited Vulnerabilities
The National Institute of Standards and Technology (NIST), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), has introduced a proposed metric aimed at determining the likelihood that a given vulnerability has been exploited in the wild. This initiative seeks to enhance the efficiency and cost-effectiveness of enterprise vulnerability remediation efforts.
Key Insights:
Addressing Limitations of Existing Systems: Current remediation strategies often rely on the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) lists. However, EPSS has been noted for inaccuracies, and KEV lists may not be comprehensive. The proposed metric aims to augment these tools by providing a more accurate assessment of exploitation likelihood.
Enhancing Vulnerability Prioritization: By estimating the probability of exploitation, organizations can better prioritize vulnerabilities, focusing resources on those most likely to be targeted.
Collaborative Approach: The success of this metric depends on collaboration with industry partners to provide necessary performance measurements and validate the effectiveness of the approach.
Further Reading: NIST CSWP 41
New Best Practices Guide for Securing AI Data Released
CISA, NSA, FBI, and international partners have jointly released a new Cybersecurity Information Sheet focused on AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems. This guide emphasizes that robust data security is fundamental for ensuring the accuracy, integrity, and trustworthiness of AI outcomes throughout its entire lifecycle.
Key Insights:
Holistic Risk Management: The guide outlines risks stemming from data security and integrity issues across all phases of AI, from development to operation.
Target Audience: It's particularly relevant for Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners/operators.
Core Recommendations: Key practices include adopting strong data protection measures, proactively managing AI-related risks, and enhancing monitoring, threat detection, and network defense capabilities.
Vigilance is Key: As AI integration grows, organizations must take deliberate steps to secure the underlying data.
Further Reading: CISA
DDoS Attack "Street Prices": What You Need to Know
Recent analysis of the underground market reveals that the "street prices" for DDoS (Distributed Denial-of-Service) attacks have remained remarkably stable over the past few years, with some new trends in service delivery. While web-based booters are still available, Telegram-based booter services are becoming a new norm, offering readily accessible attack capabilities.
Key Insights:
Stable Pricing: DDoS attack costs have remained consistent, making them a relatively affordable option for malicious actors.
Layer 3/4 Attacks (Volume-based):
1 GB/Day (Booter-Service): ~$1/day
100 GB/Day: ~$25/day
1000 GB/Day (DDoS for Hire): ~$150/day
Layer 7 Attacks (Application-layer):
10,000 RPS/Day (Booter-Service): ~$1/day
50,000 RPS/Day (DDoS for Hire): ~$20/day
100,000 RPS + Protected Services (DDoS for Hire): ~$50/day
Max monthly cost for DDoS for Hire: ~$10,000/month
DDoS-as-a-Service (DDoSaaS) Dominance: This business model continues to thrive, with attackers charging hourly or monthly fees to sustain attacks, often with extra charges for targeting protected services.
Emergence of Telegram Booters: Threat actors are increasingly leveraging Telegram for offering and managing DDoS services, simplifying access for potential customers.
Further Reading: KyberVandals Blog
Deceptive CAPTCHA "ClickFix" Campaign Uses Clipboard Injection to Deliver Malware
Threat actors are employing a new social engineering campaign, dubbed "ClickFix," that utilizes fake CAPTCHA prompts on compromised or cloned websites. This sophisticated technique tricks users into launching malware by combining clipboard injection with abuse of the Windows Run dialog, leading to the delivery of payloads like Lumma Stealer and NetSupport RAT.
Key Insights:
Social Engineering Focus: The campaign heavily relies on user fatigue with CAPTCHA mechanisms, guiding victims through seemingly familiar steps to execute malicious code.
Clipboard Injection & Run Dialog Abuse: The core of the attack involves copying a malicious PowerShell or mshta command to the clipboard, which users are then instructed to paste and execute in the Windows Run dialog.
Living Off the Land Binaries (LOLBins): Attackers extensively use trusted system binaries like PowerShell, mshta.exe, and certutil.exe to bypass traditional security defenses, making detection challenging.
Payloads: Frequently observed payloads include infostealers (e.g., Lumma Stealer targeting browser data, credentials, and crypto wallets) and remote access tools (e.g., NetSupport RAT for full system access).
Simplicity and Effectiveness: The campaign's success stems from its simplicity, avoiding zero-day exploits or complex hidden mechanisms, relying instead on user interaction.
Proactive Defense: This campaign underscores the need for robust endpoint detection and response (EDR) solutions capable of behavioral analysis and detection of LOLBin abuse, alongside user education on suspicious CAPTCHA prompts and the dangers of pasting unknown commands.
Further Reading: SecurityOnline.info
Cybercriminals Exploit AI Hype to Spread Malware
Cybercriminals are increasingly exploiting the public's interest in artificial intelligence by creating fake AI-themed websites and advertisements to distribute malware. A recent campaign identified by Mandiant Threat Defense involves the threat group UNC6032 using deceptive ads on platforms like Facebook and LinkedIn to lure users into downloading malicious software disguised as AI video generation tools.
Key Insights:
Deceptive Advertising: Thousands of malicious ads have been disseminated, impersonating legitimate AI tools such as Luma AI and Canva Dream Lab. These ads direct users to fraudulent websites designed to mimic authentic AI services.
Malware Deployment: Upon interacting with these fake sites, users are prompted to download a ZIP file containing the STARKVEIL malware dropper. This dropper installs multiple malware components, including GRIMPULL, XWORM, and FROSTRIFT, which are designed to steal sensitive information and establish persistent access to the victim's system.
Information Theft: The deployed malware targets a range of data, including login credentials, cookies, credit card information, and digital wallet contents. Some components, like XWORM, also perform keylogging and screen capture, further compromising user privacy.
Evasion Techniques: The malware employs sophisticated methods to avoid detection, such as using Braille pattern blank characters to obscure file extensions and leveraging legitimate processes for malicious activities.
This campaign underscores the importance of vigilance when engaging with online advertisements, especially those offering AI-related services. Users should be cautious of unsolicited offers and verify the legitimacy of websites before downloading any software.
Further Reading: Google Cloud Blog
Beyond the Kill Chain: How Cybercriminals Invest Their Profits
Sophos X-Ops' five-part series, Beyond the Kill Chain, explores what happens after a successful cyberattack. The series reveals how financially motivated threat actors invest their illicit earnings—often blending legitimate business with ethically questionable and outright criminal ventures.
Key Insights:
Legitimate Business Ventures: Cybercriminals are investing in seemingly lawful enterprises such as restaurants, real estate, and e-commerce platforms. These ventures help launder money while also creating additional income streams.
Ethically Dubious Activities: Some threat actors operate in legal gray zones, selling spyware, monetizing vulnerability research under the guise of security services, or manipulating online traffic for advertising profits.
Criminal Enterprises: Illicit gains are also funneled into traditional criminal operations like counterfeit goods, drug trafficking, and underground gambling, showing how cybercrime supports broader organized crime ecosystems.
Implications for Cybersecurity: Mapping how threat actors reinvest their profits helps threat intelligence teams understand evolving risk models and disrupt the infrastructure supporting ongoing cybercriminal activity.
Further Reading: Sophos News
Lumma Infostealer: Disrupted but Not Defeated
A recent global law enforcement operation disrupted parts of the Lumma Infostealer malware-as-a-service platform, seizing over 2,500 domains. However, key infrastructure—particularly servers hosted in Russia—remains intact, allowing Lumma’s core operations to continue.
Key Insights:
Partial Takedown: While many domains were seized, Lumma’s main server remains online, enabling continued malware activity.
Resilience and Recovery: The developer claimed services resumed quickly with no arrests made, signaling strong operational recovery.
Ongoing Threat: Stolen credentials and sensitive data tied to Lumma are still appearing on dark web markets.
Psychological Tactics: Authorities planted disruptive messages in Lumma’s Telegram channels and admin panels to undermine trust in the service.
Mixed Reactions: Some cybercriminals are distancing themselves from Lumma, while others remain loyal and active.
Further Reading: Check Point Blog
CFOs Targeted in Sophisticated Spear-Phishing Campaign
A recent spear-phishing campaign is targeting Chief Financial Officers (CFOs) and finance executives across banking, energy, insurance, and investment sectors in regions including Europe, Africa, Canada, the Middle East, and South Asia. The attackers use a multi-stage approach to deploy NetBird, a legitimate WireGuard-based remote access tool, onto compromised systems.
Key Insights:
Deceptive Recruitment Emails: The campaign begins with emails impersonating a Rothschild & Co recruiter offering a “strategic opportunity.” Victims are directed to a Firebase-hosted page featuring a custom CAPTCHA to access a malicious file.
Malicious Payload Delivery: After solving the CAPTCHA, users download a ZIP file containing a VBS script. When executed, it installs NetBird and OpenSSH, creates a hidden local admin account, and enables Remote Desktop Protocol (RDP) for persistent attacker access.
Evasion Techniques: The use of custom CAPTCHAs and trusted hosting services helps the attackers bypass traditional security defenses and increases credibility.
Attribution: Some infrastructure overlaps with known nation-state campaigns, but the specific threat actor remains unidentified.
Further Reading: Trellix Blog
Threat Actors Exploit Google Apps Script for Evasive Phishing Attacks
Threat actors are leveraging Google's Apps Script platform to host phishing pages that appear legitimate, allowing them to steal login credentials. These campaigns often begin with emails posing as invoice notifications, linking to webpages hosted using Google Apps Script. By operating within Google's trusted environment, attackers make their phishing pages seem more authentic, increasing the chances of success.
Key Insights:
Abuse of Trusted Services: Google Apps Script, a JavaScript-based platform used for automating Google Workspace tasks, is being exploited to host fake login pages that capture user credentials and send them to attacker-controlled servers.
Evasion of Security Measures: Because the scripts are hosted on Google's own domain, they can bypass traditional email and web filters that typically block suspicious domains.
Sophisticated Phishing Techniques: The phishing emails and login prompts are convincingly designed to mimic legitimate services, making it more likely that targets will engage and provide sensitive information.
Further Reading: BleepingComputer
HuluCAPTCHA – An Evolving Fake CAPTCHA Framework
Security researchers have identified "HuluCAPTCHA," a sophisticated fake CAPTCHA framework actively compromising websites. This advanced system tricks users into running malicious commands via fake CAPTCHA prompts and the Windows Run dialog, leading to infections with infostealers and remote access tools.
Key Insights:
Deceptive Execution: Users are redirected from compromised sites to fake CAPTCHA pages, then instructed to copy/paste malicious PowerShell or mshta commands into Windows Run.
Advanced Tracking & Stealth: The framework meticulously tracks user interactions and potential command execution. It leverages Living Off the Land Binaries (LOLBins) to evade traditional defenses.
Payload Versatility: Delivers various infostealers (e.g., Lumma, Aurotun) and remote access tools (e.g., Donut Injector).
Persistent Backdoors: Compromised WordPress sites show sophisticated hidden admin backdoors, designed for stealth and persistence.
High-Value Targets: Attackers are targeting organizations that could hold sensitive data, highlighting the potential for significant impact.
Further Reading: HuluCaptcha — An example of a FakeCaptcha framework
Phishing Campaign Exploits Google.com Open Redirects
A recent phishing campaign has been observed exploiting an open redirect vulnerability within Google's google.com/travel/clk endpoint. Threat actors are leveraging this legitimate Google Travel click-tracking mechanism to redirect users from a trusted google.com domain to malicious phishing sites. This technique adds an air of legitimacy to phishing links, making them harder for users to identify as fraudulent.
Key Insights:
Trusted Domain Abuse: Attackers are using google.com/travel/clk?pc=[token]&pcurl=[target_URL] to redirect users. The presence of google.com in the initial link provides a deceptive sense of security.
Persistent Tokens: The pc token, which controls the redirect, lacks a clear expiration mechanism and can remain valid for months or even years. This allows attackers to reuse tokens across multiple campaigns.
Ease of Exploitation: Obtaining a valid token is trivial, requiring only a visit to Google's hotel search page to copy one from a legitimate link.
Google's Stance: Google's official position classifies open redirects as "very little practical risk," claiming they invest in phishing detection rather than preventing the redirects themselves. This stance is debated given the observed abuse.
Detection Challenge: The initial legitimate google.com domain in the link makes it difficult for users and some security systems to immediately flag it as malicious.
Mitigation Recommendation for Internal Security Teams:
Flag or sandbox any google.com/travel/clk links that appear in email and other messages until Google clarifies its redirect validation mechanisms.
Further Reading: Another day, another phishing campaign abusing google.com open redirects
Cybercriminals Use Fake Booking Sites to Spread AsyncRAT Malware
Cybercriminals are exploiting fake Booking.com websites to infect users with AsyncRAT, a remote access trojan. Victims are lured through deceptive ads and social media links to counterfeit booking sites, where they are tricked into running a malicious PowerShell script. The attack results in full remote control of the infected system, putting sensitive personal information at risk.
Key Insights:
Attackers use fake CAPTCHA prompts to manipulate users into executing malware.
The AsyncRAT payload allows for full system access, including surveillance and data theft.
Domains rotate every few days, making detection and blocking more difficult.
Further Reading: Malwarebytes Blog
UNC6040 – Voice Phishing to Salesforce Data Extortion
Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster specializing in voice phishing (vishing) campaigns. This group is successfully impersonating IT support to gain access to organizations' Salesforce instances, primarily to steal large volumes of data for subsequent extortion. Their tactics rely heavily on manipulating end users rather than exploiting software vulnerabilities.
Key Insights:
Vishing is Key: UNC6040 uses convincing phone calls, often targeting English-speaking employees, to socially engineer access.
Salesforce Data Loader Abuse: They trick victims into authorizing malicious versions of Salesforce Data Loader, gaining broad access to exfiltrate sensitive data.
Lateral Movement: After Salesforce, they use stolen credentials for lateral movement into other cloud platforms like Okta and Microsoft 365.
No Platform Vulnerability: Attacks exploit user trust and process gaps, not inherent Salesforce flaws.
Persistent Threat: Extortion can occur months after the initial intrusion, indicating a patient and persistent threat.
Further Reading: The Cost of a Call: From Voice Phishing to Data Extortion
