Cybersecurity News

March 8,  2025

Ransomware Trends & Data Insights: February 2025

Throughout February, analysts identified several distinct trends behind the threat actors perpetrating cybercrime activities: 


This edition focuses on the top cyber threats our DFIR practices responded to in February 2025. Of the 14 distinct ransomware variants we observed during February, below are the top 5 variants encountered, based on the percent of total ransomware and extortion engagements throughout the month:

Figure 1. Activity from the top 5 threat groups in February 2025


Akira

Akira first emerged in April 2023 and quickly established itself as one of the most active ransomware groups. Through the end of 2024, the group remained one of the most prevalent ransomware threats and benefitted from law enforcement’s actions against LockBit and ALPHV. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims.   


Notable TTPs


Analyst Notes

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira ultimately dominated the ransomware landscape for the majority of 2024. The group maintained consistent, high levels of activity throughout the year and was the most active group from Q2 through Q4 2024. Given Akira’s consistent activity levels and adaptability, the group will likely continue to be the dominant ransomware threat in 2025 and was already the most active group observed in January and February.

BianLian

BianLian is an extortion group first observed in June 2022. Initially, the group operated with a double extortion model, but around January 2023, it shifted to an extortion-only model after a decryptor for its ransomware executable was released. Since then, BianLian has remained a data extortion-only threat group, typically gaining initial access via Remote Desktop Protocol (RDP) credentials or third-party remote access tools. 

 

Notable TTPs


Analyst Notes

Although the BianLian extortion group is rarely among the most active groups month-to-month, it has remained a consistent threat since 2022. By focusing on data theft only, the group became proficient in impacting the highest average number of individuals in each data breach. Coupled with aggressive pressure tactics, this resulted in victims paying a ransom in 52% of all BianLian engagements in 2024, in contrast to just 29% of engagements for all threat groups combined. Given its extortion successes, we anticipate the group will remain a persistent threat throughout 2025.  

 

Since late February 2025, we have observed several incidents involving ransom letters sent via the postal service and claiming to be from BianLian. Information collected through our various engagements and available open-source reporting has not definitively confirmed who is sending these letters, but it is unlikely the ransom letters originated from the BianLian extortion group. Additionally, we have not discovered any indications of data exfiltration from the engagements we have investigated for clients who received one of these letters. On Thursday, March 6th the FBI issued a public service announcement which stated they found no connections to BianLian, and assessed the letters were likely a scam.

Cactus

Cactus ransomware was first discovered in the wild in March 2023. The group uses double extortion tactics, encrypting compromised networks and stealing sensitive data. Cactus employs a dynamic approach to encryption, utilizing many tools and techniques to ensure its malicious payload is delivered effectively and covertly and demonstrating a sophisticated understanding of evasion techniques. 

 

Notable TTPs


Analyst Notes

Cactus was relatively quiet in 2024 and only accounted for a little over 1% of all ransomware and extortion engagements for the entire year. It is too early to tell if the increase in activity is a result of the social engineering tactic the group has recently used or if Cactus will evolve into a more persistent threat in 2025.   

Malware Observed in February 2025

Neshta: Neshta is a file-infecting malware that primarily targets Windows systems by injecting malicious code into executable (.exe) files. It spreads through infected downloads, email attachments, compromised software updates, and removable drives. Once active, Neshta modifies the Windows registry to ensure persistence, often masquerading as legitimate system processes like “svchost.com” to evade detection. The malware continuously infects other executables on the system, making removal challenging.  

 

In addition to its file-infecting behavior, Neshta can serve as a backdoor, enabling cybercriminals to steal sensitive information, deploy additional malware, and scout the system for further attacks. Its persistence mechanisms, such as modifying registry keys and embedding itself in critical system files, often necessitate specialized removal tools or full OS reinstallation in severe cases. Security researchers have observed that newer variants of Neshta integrate advanced obfuscation techniques, making them more resistant to traditional antivirus detection.  

 

RedLine: RedLine Stealer, an information-stealing malware first identified in 2020, operates on a Malware-as-a-Service (MaaS) model, allowing affiliates to purchase subscriptions or lifetime licenses to access a control panel that generates malware samples and functions as a command-and-control server. The malware collects a wide array of sensitive information, including local cryptocurrency wallets, cookies, saved credentials, and saved credit card details from browsers and saved data from applications like Steam, Discord, Telegram, and various desktop VPN clients. In October 2024, an international law enforcement operation called Operation Magnus, led by the Dutch National Police, the FBI, Eurojust, and other agencies, targeted the RedLine Stealer infrastructure. As a result, authorities took down three servers in the Netherlands and seized two domains. 

 

Lumma Stealer: Lumma Stealer, also known as LummaC2, is an information-stealing malware that first appeared in late 2022. Developed in the C programming language, it operates under a MaaS model, allowing cybercriminals to purchase and deploy it with relative ease. The malware primarily targets sensitive information such as cryptocurrency wallets, browser-stored passwords, and two-factor authentication (2FA) data. 

 

In 2024, Lumma Stealer's activity escalated, with its developers adopting more sophisticated tactics to compromise victims. One notable method involved fake CAPTCHA verification pages that appeared legitimate. Users attempting to complete the CAPTCHA triggered a hidden PowerShell command, downloading and executing the malware on their systems. 

 

SocGholish: SocGholish, also known as "FakeUpdates," is a JavaScript-based malware family that primarily employs social engineering tactics, masquerading as legitimate software updates to deceive users into downloading malicious payloads. Cybercriminals infiltrate legitimate websites by embedding harmful JavaScript code. When users access these compromised sites, they are presented with misleading prompts—such as counterfeit browser update alerts—persuading them to download and run malicious files. This tactic serves as the entry point for malware infection. Over time, SocGholish has evolved, employing sophisticated techniques to evade detection. Recent campaigns utilized complex infection chains involving JavaScript, PowerShell, and compressed files to bypass security measures, and in 2025, SocGholish continues to be a prevalent threat. 

 

AsyncRat: AsyncRAT is an open-source remote access trojan (RAT) that first appeared in 2019. Written in C#, it enables cybercriminals to remotely control compromised systems, facilitating activities such as data theft, command execution, screenshot capture, and full system control. Attackers employ various strategies to spread AsyncRAT, including phishing emails, malvertising, and exploit kits. 

 

As of early 2025, AsyncRAT has evolved with notable advancements. Recent campaigns have utilized Python-based malware and TryCloudflare tunnels to enhance stealth and bypass security measures. Payloads are delivered via Dropbox URLs and temporary TryCloudflare tunnel infrastructure, tricking recipients into trusting their authenticity.

March 1,  2025

AI Deep Dive Part 2: Data Privacy Concerns 

A few weeks ago, we outlined the history of artificial intelligence (AI). Today, we continue that conversation, exploring data privacy concerns associated with AI tools. AI use cases are often showcased to consumers without warning of potential dangers in their application. When a service is free, your data is often the cost of entry. 

 

Today, we dive into three key elements of data privacy concerns in AI:


Operations Security (OPSEC): What information are you exposing publicly?

The public release of information can lead to both positive and negative outcomes. Classification by compilation, in which a series of seemingly harmless pieces of information are pieced together in open source, leading to exposure of proprietary, sensitive information, gives credence to the age-old saying, “Loose lips sink ships.” 

 

You may be wondering what this has to do with AI. Any information posted publicly can be used by developers to train AI algorithms. This could lead organizations to aid their competitors indirectly, should they choose to use the same AI platforms. An example of this is a 2023 lawsuit filed by artists against a number of companies that own AI image-generating tools. The artists argued that the AI companies used their art to train algorithms without the artists being properly compensated. The court ultimately ruled against the artists, demonstrating that it is extremely difficult to prove what data was used to train AI algorithms.


What data are you putting into AI applications?

As the use of AI continues to expand, users should carefully consider what data they are exposing. When using popular public-facing AI platforms, such as those created by OpenAI, Microsoft, and Amazon, users must be aware of the type of data they input. Sensitive data, including client information, PII, and trade secrets, should not be used to prompt public-facing AI tools. Inputs into these tools are used to further train the algorithm and develop these tools.


How are you storing your data?

When an organization decides to create or collaborate on a new AI model, large amounts of data are required to train it. When considering where to store such data, cloud storage appears as an attractive option. However, it is also important to consider the options and risks associated with data storage.

 

One example of such risk is the May 2024 data breach suffered by cloud-based data storage company Snowflake.


The threat actor responsible for the breach, UNC5537, subsequently extorted Snowflake, leading to at least $2.7 million in ransom payments for data suppression. This attack was primarily driven by compromised credentials without MFA, demonstrating the need for organizations to not only assess their third-party risk exposure but also continually implement security best practices.


Conclusion

AI is a powerful tool for organizations looking to enable employees to work within their strengths and increase efficiency. However, the improper use of AI can have disastrous effects. It is important for organizations to develop policies and training on the implementation and use of AI to set employees up for success and ensure the security of their environments. Tune in next week for the final installment of AI Deep Dive: Understanding Biases & How Threat Actors Use AI.


Sources 

Suspected North Korean Actors Pull off the Largest Crypto Heist in History

On February 21st, 2025, approximately $1.4 billion USD in Ethereum was stolen from cryptocurrency exchange Bybit. Ethereum held a price of $2600 per token as of February 21st and is one of many cryptocurrencies the exchange holds. Some quick division shows that at least 500,000 Ethereum coins were stolen, making this the largest crypto heist to date in value. Both TRM Labs and Chainalysis have assessed the threat actor to be associated with North Korea with high confidence due to an overlap in crypto wallets tracked as belonging to North Korea.

 

What's Notable and Unique: 


Conclusion 

While crypto-related attacks may seem like a new concept at face value, this is the most recent heist in a string traversing ten years. In 2024 alone, North Korean threat actors were associated with $1.5 billion out of $2.2 billion in theft. With North Korea conducting these thefts, the funds enter a broader cybercriminal ecosystem, increasingly invading the insurance ecosystem. Most recently, these threats have expanded into North Koreans fraudulently joining North American and European companies, stealing their source code, and then extorting the companies. Funds stolen in cryptocurrency thefts like the Bybit thefts are funding infrastructure supporting this increasingly stealthy form of extortion, consequently resulting in funds supporting the North Korean military.

 

Fortunately, as threat actors and money launderers strengthen their ability to hide stolen money, blockchain analytic techniques and toolsets have also evolved. Often, the best way to prevent crypto heists and cybercrime is to implement sound security principles, including password management, vulnerability patching, and end user training.

 

Sources 

Medusa Leveraging EDR Evasion Tool

The Medusa ransomware group was recently observed utilizing the Poortry tool to evade endpoint detection and response (EDR) software when attacking victims. Poortry is a tool that uses a modified kernel driver to bypass or disable EDR software and has been a threat since 2022. It leverages three core capabilities to evade most built-in driver protection capabilities, including abusing leaked certificates, forging signature timestamps, and bypassing Microsoft attestation signing. In the recent Medusa campaign, the threat actor primarily leverages signatures from Chinese technical universities. However, this does not indicate that the group is working with the Chinese. 

 

What’s Notable and Unique

 

Analyst Comments

An increase was observed in the use of EDR killers by multiple threat groups in 2024, and this trend will likely continue in 2025 as more organizations rely on EDR solutions to secure their environment. Most driver-based EDR evasion methods rely on a technique known as Bring Your Own Vulnerable Driver (BYOVD), in which a threat actor will install a legitimate driver with known vulnerabilities onto a victim machine and then exploit them to gain privileges. Behavioral protection rules and blocking downloads of system-level drivers within EDRs can help counter these tools, and it is important for organizations to keep their systems updated and maintain adequate separation between user and admin privileges to limit threat actors’ ability to install vulnerable or malicious drivers.

 

In the case of Poortry, the EDR evasion capabilities rest in the tool’s ability to bypass legitimate protection on driver downloads. The tool then either deletes or terminates EDR processes. The most critical components for protecting against this type of functionality are restricting the ability to tamper with or uninstall EDR and enabling alerting when devices are removed from an EDR maintenance console.


Sources 

February 22,  2025

Sanctions Against Zservers

On February 11th, 2025, the US Treasury Department, along with the UK and Australian governments, sanctioned the bulletproof hosting provider Zservers, their registered company name XHOST Internet Solutions LP, and six administrators for providing support to ransomware groups –particularly LockBit ransomware-as-a-service (RaaS) affiliates. Additionally, on February 12th, law enforcement in the Netherlands seized 127 servers used by Zservers/XHOST following a yearlong investigation of the hosting provider.  

 

What is Bulletproof Hosting?

Bulletproof hosting (BPH) providers are hosting services that offer anonymity from law enforcement. They are part of the cybercrime-as-a-service ecosystem and sell access to servers and infrastructure for operating and conducting cyberattacks and other criminal activity. BPHs market themselves on dark web forums and use techniques in their networks and architecture that make it difficult for law enforcement to identify and track users paying for their services.


Analyst Comments

To assess these potential sanctions issues accurately, we will leverage Autonomous System Numbers (ASNs) associated with the hosting provider and the known cryptocurrency wallets the administrators use. SJA Labs tracks ASNs and hosting providers used by threat actors as part of our robust attribution, tracking, and due diligence processes for compliance with the Department of the Treasury’s Office of Foreign Asset Controls (OFAC) and Anti-Money Laundering (AML) frameworks. As ASN and routing assignments change, we will continuously monitor the Zserver/XHOST infrastructure to capture its use by threat actors. Despite its widespread usage, XHOST infrastructure is not often the primary infrastructure leveraged by threat actors and was observed in only 2% of ransomware and extortion engagements to date. Further, the law enforcement seizures of the Zservers and XHOST servers will render most of the currently registered infrastructure unusable by threat actors, further limiting the impact of potential sanctions on current and future engagements.


Sources

RA World’s Suspected Link to Chinese Espionage Groups

The threat actor RA World was observed using a toolkit linked to a China-based cyber espionage group to carry out a ransomware attack, raising questions about the link between the ransomware group and Chinese state-sponsored groups. The attack, carried out in November 2024, deployed the PlugX payload, which has been observed in several instances of cyber espionage. PlugX malware is typically used to establish persistence and install backdoors. The November intrusion saw PlugX malware used against a medium-sized software and services company in South Asia.


What's Notable and Unique: 


Analyst Comments

State-sponsored threat actors have used ransomware as a tool in their arsenal since it was first used to extort money from victims. While ransomware can be used by state-sponsored threat actors to support state interests, state-sponsored threat actors also deploy ransomware to make money on the side. This form of moonlighting is commonly seen among Chinese- and Russian-sponsored actors. It is currently unclear if state actors operate RA World in any capacity.

 

Despite speculation linking RA World to the Chinese threat group Bronze Starlight, this connection also remains uncertain. The overlap in attack methodologies, including the use of the NPS tool and Babuk-based payloads, may be coincidental due to the availability of leaked tools. Nevertheless, RA World’s ability to exploit vulnerabilities like those in Palo Alto PAN-OS and Citrix Bleed, coupled with its evolving tactics, emphasizes the importance of heightened cybersecurity measures and vigilance around this growing threat.

 

The overlap between these various actors also highlights the importance of looking beyond just the ransomware brand when responding to ransomware attacks. Convergence among threat actors remains a persistent threat to organizations as overlaps drive improved tooling.

 

Sources 

Active Exploitation of Vulnerability in Palo Alto Networks PAN-OS

Hackers are targeting Palo Alto Networks PAN-OS firewalls and taking advantage of a recently patched vulnerability (CVE-2025-0108) that enables authentication bypass. The high-severity security flaw affects the PAN-OS management web interface and allows an unauthorized network attacker to overcome authentication and run certain PHP scripts, compromising confidentiality and integrity.


What’s Notable and Unique  


Analyst Comments

Palo Alto Networks has confirmed reports of active exploitation aimed at a PAN-OS web management interface vulnerability, and the security upgrades released by Palo Alto should be applied right away by all users who have PAN-OS administration interfaces accessible via the internet. It is highly advised to all enterprises to assess their setups to reduce risk, as protecting management interfaces that are publicly accessible is a fundamental security best practice.


Sources 

February 15,  2025

AI Deep Dive Part 1: The History of AI

Artificial intelligence (AI) is a subset of computer science that focuses on creating systems that can replicate human intelligence and problem-solving capabilities. This is accomplished by feeding large amounts of data into machine learning models (MLMs) and processing the data. The result is technology that can simulate human learning, comprehension, problem-solving, decision-making, creativity, and autonomy. 

 

While often seen as new, cutting-edge technology, AI has been around far longer than most would think. While the concept of AI goes back to ancient philosophers theorizing on life and death, AI as we know it began in the early 1900s. The conception of what AI is began to be portrayed in science fiction by various authors and artists throughout the early 1900s prior to what is commonly known as “the birth of AI.”  

 

AI Through the Ages 


Conclusion 

AI as a whole is a fast-changing, fluid concept. Organizations regularly unveil new capabilities and breakthroughs. This was especially evident in the recent unveiling of Deepseek and the subsequent data privacy concerns. In a single day, this overturned the sector in one fell swoop. AI will likely remain a constantly changing field in the near term. 

 

What’s Next? 

Part 2 of the AI Deep Dive will examine the risks and benefits of organizations adopting AI into their business models.  


Sources 

XE Hackers Group Shifts from Credit Card Skimming to Veracore Zero-days 

XE Hackers, a Vietnam-based group previously known for credit card skimming, has recently been exploiting zero-day vulnerabilities in Veracore, a warehouse management software. Up until recently, XE Hackers made their money by selling stolen credit card data on carding forums and monetizing password theft. Recently, the group was detected exploiting two Veracore zero-day vulnerabilities on previously deployed persistent web shells. 


What's Notable and Unique: 


Analyst Comments  

This evolution exemplifies threat actors shifting from general cybercrime to more dangerous tactics that can cause increased operational impacts to organizations. Lesser-known threat actors can quickly prove they have the resources and capabilities to become a significant threat. As the number of skilled cybercrime groups grows, it is increasingly important to secure endpoints and maintain thorough event logs to detect suspicious behavior. Zero-day exploitations are difficult to prevent with patching, so detection is crucial. The persistent webshells are also a reminder to keep web servers secure and conduct consistent scans to detect any hidden TA access. 

FBI, Europol, and NCA Take Down 8Base Ransomware 

A concerted law enforcement effort has taken down the 8Base ransomware group's dark web data leak and negotiating websites. The U.S. Federal Bureau of Investigation (FBI), Europol, the U.K. National Crime Agency (NCA), and agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand were all involved in the takedown. According to Thai media sources, four European nationals, two men and two women, were taken into custody on Monday in four different locations during an operation known as Operation Phobos Aetor. 

 

What's Notable and Unique: 


Analyst Comments  

Throughout 2024, there was significant law enforcement pressure on ransomware organizations, and it is encouraging to see this trend continue in 2025. One of the most effective means of reducing ransomware attacks seems to be consistent law enforcement activity. 


Sources 

February 8,  2025

Ransomware Trends & Data Insights: January 2025


Throughout January, analysts identified several distinct trends behind the threat actors perpetrating cybercrime activities: 



This edition focuses on the top cyber threats our Incident Response team responded to in January 2025. Of the 17 distinct ransomware variants observed during January, below are the top 3 variants encountered, based on the percent of total ransomware and extortion engagements throughout January:

Figure 1. Activity from the top 3 threat groups in January 2025 

Akira

Akira first emerged in April 2023 and quickly established itself as one of the most active ransomware groups. Through the end of 2024, the group remained one of the most prevalent ransomware threats and benefitted from law enforcement’s actions against LockBit and ALPHV. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims. 


Notable TTPs  


Analyst Notes   

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira developed into a ransomware operation that is consistently one of the top variants observed each month. With the exception of April and July, Akira was among the top three most active threat groups throughout 2024. We expect this level of activity will continue in the near term, and organizations should remain vigilant in security measures and consider implementing robust backups to mitigate the impact of a potential ransomware attack. 

Fog 

Fog is a relatively new ransomware group that was first observed in late April 2024. Initially, Fog primarily targeted organizations in the education sector using compromised VPN credentials. Engagements with the ransomware group and victims suggest that the group is expanding its attacks to target other industries.  

 

Notable TTPs  


Analyst Notes   

Fog has been among the most active threat groups since the second half of 2024. Although the group has previously primarily targeted schools and educational organizations, it has since expanded its focus to other industries. Fog has also recently been exploiting a critical SonicWall VPN vulnerability since October 2024, contributing to its consistent activity levels.

RansomHub

RansomHub is a RaaS operation that emerged in January 2024 and is believed to be a rebrand of the Cyclops and Knight ransomware groups. In February, the group was observed recruiting affiliates on the Russian cybercrime forum RAMP. Affiliates reportedly receive 90% of the ransom, with the remaining 10% going to the group’s operators. RansomHub explicitly prohibits attacks on non-profit organizations and specific countries, including the Commonwealth of Independent States, Cuba, North Korea, and China. The threat actors behind RansomHub are located in various global locations and are united by a common goal of financial gain. 

 

Notable TTPs  


Analyst Notes

Engagements attributed to RansomHub increased rapidly since SJA Labs first observed the group in May 2024, and it quickly established itself as one of the top threat actor groups since July 2024. The group has targeted a wide range of high-profile victims in its short tenure thus far, and the threat actors are clearly not afraid to monetize their efforts in any way possible.

Observed Malware in December 2024  

Jupyter Infostealer: The Jupyter Infostealer, also known as SolarMarker, is a .NET-based malware that has been active since late 2020. It functions as both an information stealer and a backdoor, primarily targeting web browsers, including Chromium, Mozilla Firefox, and Google Chrome. It steals cookies, login credentials, and security certificates from infected systems. Earlier versions had minimal obfuscation and clearly labeled functions, but newer variants are more advanced, employing heavy obfuscation and strong encryption methods like AES and RSA to communicate with command-and-control (C2) servers. More recent versions also use private key signatures and modify PowerShell scripts to appear as legitimate software. These tactics help Jupyter evade security measures by making it seem like a trusted application, improving its chances of avoiding detection. 

 

ASPXSpy: ASPXSpy is a web shell malware designed to provide attackers with remote control over compromised web servers. Written in ASP.NET, it allows threat actors to execute commands, upload or download files, modify system settings, and conduct further attacks within a network. Because ASPXSpy is lightweight and easily obfuscated, it is often used for persistent access in web-based intrusions. 

 

Babadeda: Babadeda is a crypter, a tool cybercriminals use to encrypt and obfuscate malicious code, making it harder for security software to detect. Active since at least 2021, Babadeda has been employed to distribute various types of malware, including information stealers, RATs, and ransomware. 

 

SocGholish: SocGholish is a malware family that disguises itself as software updates to trick users into executing a malicious JavaScript payload, thereby granting the malware control over the compromised system. SocGholish is frequently used by threat actors as an initial access broker, providing entry points for other attackers to exploit. It has been associated with the deployment of secondary payloads like Cobalt Strike, a tool often used for post-exploitation activities, including lateral movement and privilege escalation within a compromised network.  In December 2024, a campaign targeted Kaiser Permanente employees via fraudulent Google Search Ads. These ads impersonated the company's HR portal, leading users to compromised websites that prompted fake browser update notifications. Executing these updates resulted in SocGholish malware infections.

 

CobaltStrike: CobaltStrike is a legitimate software suite designed for red team operations to conduct security assessments. However, it remains popular among cybercriminals, including ransomware gangs, for its versatility in command-and-control (C2) communications, reconnaissance, and malware delivery. Organizations should monitor for indicators of Cobalt Strike activity, including unusual C2 traffic and unauthorized PowerShell execution. Implementing endpoint detection and regular threat hunting can help mitigate the risk.

February 1,  2025

XWorm RAT Builder Targets Script Kiddies

 

Security researchers discovered a version of the XWorm remote access trojan (RAT) builder designed to target new and inexperienced hackers. The builder is being promoted on various Telegram and YouTube channels aimed at low-level hackers and individuals new to cybersecurity. The builder appears to be available to download on GitHub repositories and file-sharing services like Mega and Upload.ee, however, the file is actually malware used to steal the victims’ data, system information, and credentials.  


What’s Notable and Unique 

Figure 1. Countries where devices were infected by the trojanized XWorm RAT (source: CloudSEK) 


Analyst Comments 

While the idea of targeting entry-level hackers with a trojanized builder may seem like poetic justice, the data set recovered by security researchers revealed the alarming number of individuals worldwide interested in engaging in malicious cyber activity. The ever-growing  

accessibility of information and emerging technologies like AI continue to lower the barrier of entry into cybercrime. Although the focus is typically on threats from the larger ransomware and extortion groups, less-skilled cybercriminals can still cause substantial financial damage and business disruption to the organizations they target. Additionally, the geographic diversity of the infected devices reflects the global threat of cybercrime.   


Sources 

Fake Reddit and WeTransfer Sites Push Lumma Stealer Malware

 

Threat actors are spreading approximately 1,000 websites that imitate Reddit and the file-sharing website WeTransfer, luring unsuspecting users to download the Lumma information-stealing malware. The malicious sites display a phony Reddit discussion thread on a particular subject. To give an air of credibility, the thread originator requests assistance downloading a specific tool, another user offers to assist by uploading it to WeTransfer and providing the URL, and a third user thanks them for sharing the resource. 

 

What's Notable and Unique: 

Analyst Comments  

Lumma Stealer is a powerful tool that uses sophisticated data stealing and evasion techniques. Hackers purchase the malware, which they disseminate via various channels, such as malvertising, deepfake-generating websites, and GitHub comments. This information-stealing malware can gather session tokens and passwords saved in web browsers and utilize them to take over accounts without the user's credentials. In this type of attack, threat actors often steal sensitive login information and attempt to sell it on dark web forums. 

 

Sources 

Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations

 

In recent years, VMware ESXi appliances have become high-value targets for ransomware groups due to their critical role in virtualized infrastructures. These appliances are increasingly exploited for exfiltrating and encrypting virtual machine images, leading to severe operational disruptions and reputational damage.  

 

Beyond this, threat actors are leveraging ESXi appliances earlier in the attack chain, using them as a pivot point to tunnel traffic and gain further access to corporate networks. This tactic involves exploiting native tools, like Secure Shell (SSH), to establish stealthy communication channels (e.g., SOCKS tunnels) between the compromised infrastructure and command-and-control (C2) servers. The limited monitoring of ESXi hosts often allows these attacks to proceed undetected, exacerbating the risk and potential impact on affected organizations. 

 

What’s Notable and Unique  

Analyst Comments

Given the increasing sophistication of ransomware attacks targeting ESXi appliances, organizations must prioritize proactive monitoring and log analysis to detect early signs of intrusion. The four key log files (/var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log) offer valuable insights into SSH tunneling and potential ransomware activity, including traces of command execution, administrative actions, login attempts, and firewall rule modifications.  

 

To improve detection and response capabilities, it is highly recommended that organizations centralize ESXi logs through syslog forwarding and integrate them into a Security Information and Event Management (SIEM) system, enabling more effective identification of anomalies and reducing the risk of undetected attacks. 


Sources

January 25,  2025

Cybercriminals are Phishing Companies That Use Google Ads with…Google Ads

 

A new campaign is targeting unsuspecting Google Ads users by phishing for their credentials through Google Ads. Individuals are tricked into entering credentials into what appears to be their Google Ads login page, but is actually a site that mimics the login page being pushed through Google Ads. This unique use of malvertising to gain compromised credentials fuels the fire for broader malvertising campaigns and cybercriminal operations. 


What Happens?  

Once an unsuspecting victim clicks on the fraudulent Google Ads page, they are prompted to enter their Google account information. In addition to account credentials, the phishing kit collects unique information, including cookies and cached browser credentials. Once this is complete, the threat actor attempts to log into the user’s Google Ads account and lock the account holder out. An email indicating a mysterious login attempt is the sole means of identifying this nefarious activity.

What happens next is where things get interesting. Once the threat actor has control of the account, they have two options: 

Analyst Comments

The ongoing campaign targeting Google Ads credentials reflects the continued increase in malvertising observed by SJA Labs. This also highlights the need for end users’ heightened scrutiny surrounding communications as threat actor phishing tactics evolve and mature. SJA Labs advises caution in day-to-day operations and encourages end users to be cognizant of the various methods threat actors utilize to gain initial access into victim environments.  

 

Sources 

Rise in Phishing Kits Targeting Microsoft Office 365 Accounts 

 

Security researchers recently discovered a new phishing kit targeting Microsoft 365 accounts. The kit, called Sneaky 2FA, functions as an Adversary-in-the-Middle (AiTM) kit that can bypass two-factor authentication. Sneaky 2FA has been sold since October 2024 by a cybercrime service called “Sneaky Log” as a phishing-as-a-service (PhaaS) product to steal Microsoft Office 365 credentials. Researchers first observed Sneaky 2FA in December 2024, and it has since been observed in almost 100 domains. 

 

What’s Notable and Unique  

Analyst Comments

Increased availability of phishing kits continues to demonstrate the expanding ecosystem of tools enabling cybercrime and the evolution and maturation of phishing tactics employed by threat actors. In 2024, SJA Labs observed phishing as the method of intrusion in 40% of business email compromise (BEC) engagements throughout the year. Phishing kits like Sneaky 2FA and Tycoon 2FA will likely continue to evolve as long as threat actors are able to successfully utilize them to obtain victim credentials. Verifying the legitimacy of links and websites prior to entering credentials remains a critical practice for end users. 


Sources 

January 18,  2025

Funksec: New Threat Group Leverages AI to Build Malware

 

Funksec is a new ransomware-as-a-service (RaaS) that emerged in December 2024. Over the past month, the group has posted more victims to its data leak site (DLS) than any other ransomware group, surpassing more established groups like Akira and RansomHub. However, cybersecurity researchers recently discovered that this prolific activity from Funksec may actually be the work of inexperienced threat actors leveraging artificial intelligence (AI) to assist them in building malware.  

 

What’s Notable and Unique  

Since emerging in December, Funksec has aggressively self-promoted its ransomware activities and capabilities, posting over 85 victims on its DLS and even going as far as providing an interview to boast about its capabilities. In addition to the victims, the DLS contains information about purchasing the RaaS and various tools, including a Distributed Denial-of-Service (DDoS) tool and a remote desktop management tool written in C++. Despite the group's seemingly rapid growth, security researchers made several discoveries about Funksec's malware and operations, suggesting the group isn't as sophisticated or prolific as it claims to be. 

Analyst Comments

While it is too early to assess the threat this new group will pose in 2025, Funksec is not the first to leverage its DLS to give an inflated appearance of their activity levels. What's more notable is the use of AI in creating the tools and malware used by the new ransomware group. AI is more commonly observed in creating phishing and social engineering campaigns, but it was only a matter of time before novice cybercriminals leveraged it to build the tools and malware for conducting ransomware attacks. 


Sources 

Infostealer Disguised as PoC Code Exploiting Recent LDAP Vulnerability

 

Threat actors are distributing information-stealing malware disguised as proof-of-concept (PoC) exploit code for a recently discovered Windows Lightweight Directory Access Protocol (LDAP) vulnerability. The vulnerability, identified as CVE-2024-49113 and named LDAPNightmare, can lead to denial-of-service (DoS) attacks. It was patched in a security update issued on December 10, 2024. 

 

What’s Notable and Unique  

Analyst Comments

Our security researchers remain vigilant in continuously monitoring the tactics, techniques, and procedures (TTPs) associated with information-stealer malware. By leveraging cutting-edge detection capabilities and analyzing emerging attack methods, we can swiftly identify and block threats aimed at exploiting vulnerabilities, such as the LDAP vulnerability that could lead to denial-of-service (DoS) attacks. Our ongoing commitment to proactive security research and incident response ensures that potential threats—whether designed to steal sensitive information or disrupt services—are effectively neutralized before they can cause significant damage. This comprehensive approach helps safeguard both our infrastructure and the critical data of our clients from evolving cyber threats

 

Sources 

AWS Falls Victim to Ransomware  

 

An emerging ransomware group dubbed Codefinger has been observed encrypting objects within the Amazon Web Services (AWS) Simple Storage Service (S3). While exposed buckets are a common target of extortionists looking for a payday, this is the first known instance of AWS cloud infrastructure being the target of encryption. The threat actor is able to accomplish data encryption in the S3 buckets, which are cloud storage containers for storing various types of data, by utilizing a native encryption function built into the AWS S3 services called SSE-C.  

 

What’s Notable and Unique  

Analyst Comments  

The encryption of data held within the cloud is uniquely interesting because it opens the door to a whole new playing field for cybercriminals, with many organizations potentially operating under a false sense of security. It is still too early to tell with a high degree of confidence whether this encryption method will be adopted by other threat groups, or if Codefinger will become a prolific cybercrime group. However, should this tactic be heavily adopted, it could significantly increase the threat landscape available to cybercriminals. 


Sources