Cybersecurity News

AI Deep Dive Part 2: Data Privacy Concerns 

A few weeks ago, we outlined the history of artificial intelligence (AI). Today, we continue that conversation, exploring data privacy concerns associated with AI tools. AI use cases are often showcased to consumers without warning of potential dangers in their application. When a service is free, your data is often the cost of entry. 

Today, we dive into three key elements of data privacy concerns in AI:

• What information are you exposing publicly?  

• What data are you putting into AI applications?  

• And finally, how are you storing your data? 

Operations Security (OPSEC): What information are you exposing publicly?

The public release of information can lead to both positive and negative outcomes. Classification by compilation, in which a series of seemingly harmless pieces of information are pieced together in open source, leading to exposure of proprietary, sensitive information, gives credence to the age-old saying, “Loose lips sink ships.” 

You may be wondering what this has to do with AI. Any information posted publicly can be used by developers to train AI algorithms. This could lead organizations to aid their competitors indirectly, should they choose to use the same AI platforms. An example of this is a 2023 lawsuit filed by artists against a number of companies that own AI image-generating tools. The artists argued that the AI companies used their art to train algorithms without the artists being properly compensated. The court ultimately ruled against the artists, demonstrating that it is extremely difficult to prove what data was used to train AI algorithms.

What data are you putting into AI applications?

As the use of AI continues to expand, users should carefully consider what data they are exposing. When using popular public-facing AI platforms, such as those created by OpenAI, Microsoft, and Amazon, users must be aware of the type of data they input. Sensitive data, including client information, PII, and trade secrets, should not be used to prompt public-facing AI tools. Inputs into these tools are used to further train the algorithm and develop these tools.

How are you storing your data?

When an organization decides to create or collaborate on a new AI model, large amounts of data are required to train it. When considering where to store such data, cloud storage appears as an attractive option. However, it is also important to consider the options and risks associated with data storage.

One example of such risk is the May 2024 data breach suffered by cloud-based data storage company Snowflake.

The threat actor responsible for the breach, UNC5537, subsequently extorted Snowflake, leading to at least $2.7 million in ransom payments for data suppression. This attack was primarily driven by compromised credentials without MFA, demonstrating the need for organizations to not only assess their third-party risk exposure but also continually implement security best practices.

Conclusion

AI is a powerful tool for organizations looking to enable employees to work within their strengths and increase efficiency. However, the improper use of AI can have disastrous effects. It is important for organizations to develop policies and training on the implementation and use of AI to set employees up for success and ensure the security of their environments. Tune in next week for the final installment of AI Deep Dive: Understanding Biases & How Threat Actors Use AI.

Sources 

• https://x.com/Cyberknow20/status/1797164649408061453

• https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials

Suspected North Korean Actors Pull off the Largest Crypto Heist in History

On February 21st, 2025, approximately $1.4 billion USD in Ethereum was stolen from cryptocurrency exchange Bybit. Ethereum held a price of $2600 per token as of February 21st and is one of many cryptocurrencies the exchange holds. Some quick division shows that at least 500,000 Ethereum coins were stolen, making this the largest crypto heist to date in value. Both TRM Labs and Chainalysis have assessed the threat actor to be associated with North Korea with high confidence due to an overlap in crypto wallets tracked as belonging to North Korea.

What's Notable and Unique: 

• North Korea has a long history of financial fraud, money laundering, and other illicit activity. Members of the Democratic People’s Republic of Korea (DPRK) military regularly participate in illicit activities, including remote worker fraud, cryptocurrency hijacking and mining, money mules, wire fraud, and even ransomware. These cybercriminal activities allow DPRK to bypass international sanctions to raise funds for their military.
  
  

• The threat actors compromised one of Bybit’s offline cold wallets, digital wallets that store private keys needed to access other cryptocurrency wallets completely offline. Due to the wallet being disconnected from the internet, the most likely sources of the compromise were a supply chain attack, insider threat, or a private key compromise.
  
  

• The alleged North Korean threat actors may not be able to fully monetize the theft. The funds must now be laundered before being taken out at another exchange, as most of the initial wallets to which funds were transferred have been marked as having stolen funds on legitimate cryptocurrency exchanges. The laundering will likely be a two-step process. First, the funds will be exchanged for a native cryptocurrency, such as Ether or BTC, as it is difficult to track stolen funds across cryptocurrency blockchain transfers. Next, the actors will attempt to cover their tracks further by layering the funds to throw investigators off their trail. Shortly after the compromise the actor used 50 wallets and placed 10,000 coins in each, further supporting the alleged theft of 500,000 coins in total.
  
  

• Bybit has offered a 10% bounty on the stolen coins, leading to a potential purse of $140 million. So far, $42.89 million of the stolen funds have been frozen. However, it is unclear whether this is the work of bounty hunters, law enforcement, or Bybit.

Conclusion 

While crypto-related attacks may seem like a new concept at face value, this is the most recent heist in a string traversing ten years. In 2024 alone, North Korean threat actors were associated with $1.5 billion out of $2.2 billion in theft. With North Korea conducting these thefts, the funds enter a broader cybercriminal ecosystem, increasingly invading the insurance ecosystem. Most recently, these threats have expanded into North Koreans fraudulently joining North American and European companies, stealing their source code, and then extorting the companies. Funds stolen in cryptocurrency thefts like the Bybit thefts are funding infrastructure supporting this increasingly stealthy form of extortion, consequently resulting in funds supporting the North Korean military.

Fortunately, as threat actors and money launderers strengthen their ability to hide stolen money, blockchain analytic techniques and toolsets have also evolved. Often, the best way to prevent crypto heists and cybercrime is to implement sound security principles, including password management, vulnerability patching, and end user training.

Sources 

• https://www.trmlabs.com/post/trm-links-north-korea-to-record-1-5-billion-record-hack

• https://www.infosecurity-magazine.com/news/bybit-140m-bounty-recover-mega/ 

• https://www.benzinga.com/markets/cryptocurrency/25/02/43905078/bybit-nears-recovery-after-crypto-heist-freezes-42-89-million-in-stolen-funds-secures-1-23-billion-in-eth-through-whales-and-loans

• https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/

Medusa Leveraging EDR Evasion Tool

The Medusa ransomware group was recently observed utilizing the Poortry tool to evade endpoint detection and response (EDR) software when attacking victims. Poortry is a tool that uses a modified kernel driver to bypass or disable EDR software and has been a threat since 2022. It leverages three core capabilities to evade most built-in driver protection capabilities, including abusing leaked certificates, forging signature timestamps, and bypassing Microsoft attestation signing. In the recent Medusa campaign, the threat actor primarily leverages signatures from Chinese technical universities. However, this does not indicate that the group is working with the Chinese. 

What’s Notable and Unique

• Emerging as a threat in 2022, Poortry’s developers continue to modify their drivers so they can effectively evade EDR software. In July 2024, researchers discovered a version of Poortry that could completely delete components of the EDR software instead of just evading detection.
  
  

• Some of the drivers observed in the Medusa engagements had expired or illegitimate certificates that were named to appear as legitimate EDR drivers. In particular, the drivers were masquerading as CrowdStrike Falcon and Palo Alto Cortex.
  
  

• Medusa is not the only threat group that uses the tool. Since 2022, researchers have also identified Cuba, ALPHV/BlackCat, LockBit, and RansomHub leveraging Poortry in attacks.

Analyst Comments

An increase was observed in the use of EDR killers by multiple threat groups in 2024, and this trend will likely continue in 2025 as more organizations rely on EDR solutions to secure their environment. Most driver-based EDR evasion methods rely on a technique known as Bring Your Own Vulnerable Driver (BYOVD), in which a threat actor will install a legitimate driver with known vulnerabilities onto a victim machine and then exploit them to gain privileges. Behavioral protection rules and blocking downloads of system-level drivers within EDRs can help counter these tools, and it is important for organizations to keep their systems updated and maintain adequate separation between user and admin privileges to limit threat actors’ ability to install vulnerable or malicious drivers.

In the case of Poortry, the EDR evasion capabilities rest in the tool’s ability to bypass legitimate protection on driver downloads. The tool then either deletes or terminates EDR processes. The most critical components for protecting against this type of functionality are restricting the ability to tamper with or uninstall EDR and enabling alerting when devices are removed from an EDR maintenance console.

Sources 

• https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

• https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/

Sanctions Against Zservers

On February 11th, 2025, the US Treasury Department, along with the UK and Australian governments, sanctioned the bulletproof hosting provider Zservers, their registered company name XHOST Internet Solutions LP, and six administrators for providing support to ransomware groups –particularly LockBit ransomware-as-a-service (RaaS) affiliates. Additionally, on February 12th, law enforcement in the Netherlands seized 127 servers used by Zservers/XHOST following a yearlong investigation of the hosting provider.  

What is Bulletproof Hosting?

Bulletproof hosting (BPH) providers are hosting services that offer anonymity from law enforcement. They are part of the cybercrime-as-a-service ecosystem and sell access to servers and infrastructure for operating and conducting cyberattacks and other criminal activity. BPHs market themselves on dark web forums and use techniques in their networks and architecture that make it difficult for law enforcement to identify and track users paying for their services.

Analyst Comments

To assess these potential sanctions issues accurately, we will leverage Autonomous System Numbers (ASNs) associated with the hosting provider and the known cryptocurrency wallets the administrators use. SJA Labs tracks ASNs and hosting providers used by threat actors as part of our robust attribution, tracking, and due diligence processes for compliance with the Department of the Treasury’s Office of Foreign Asset Controls (OFAC) and Anti-Money Laundering (AML) frameworks. As ASN and routing assignments change, we will continuously monitor the Zserver/XHOST infrastructure to capture its use by threat actors. Despite its widespread usage, XHOST infrastructure is not often the primary infrastructure leveraged by threat actors and was observed in only 2% of ransomware and extortion engagements to date. Further, the law enforcement seizures of the Zservers and XHOST servers will render most of the currently registered infrastructure unusable by threat actors, further limiting the impact of potential sanctions on current and future engagements.

Sources

• https://home.treasury.gov/news/press-releases/sb0018

• https://www.gov.uk/government/news/new-uk-sanctions-target-russian-cybercrime-network

• https://therecord.media/zservers-russia-bulletproof-hosting-us-uk-sanctions

• https://www.politie.nl/nieuws/2025/februari/13/politie-amsterdam-ontmantelt-digitaal-crimineel-netwerk-127-servers-offline-gehaald.html

• https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers

RA World’s Suspected Link to Chinese Espionage Groups

The threat actor RA World was observed using a toolkit linked to a China-based cyber espionage group to carry out a ransomware attack, raising questions about the link between the ransomware group and Chinese state-sponsored groups. The attack, carried out in November 2024, deployed the PlugX payload, which has been observed in several instances of cyber espionage. PlugX malware is typically used to establish persistence and install backdoors. The November intrusion saw PlugX malware used against a medium-sized software and services company in South Asia.

What's Notable and Unique: 

• Though no infection vector was found, the attacker said they exploited CVE-2004-0012, a known vulnerability in the PAN-OS firewall that has been exploited by state-sponsored and ransomware actors.
  
  

• Palo Alto researchers previously found connections between RA World and Bronze Starlight (AKA Emperor Dragonfly or Storm-401), a China-based threat actor known for using ransomware groups.
  
  

• While China has a history of allowing its state-affiliated threat actors to moonlight, the use of traditional espionage tools for ransomware attacks is generally not allowed. 

Analyst Comments

State-sponsored threat actors have used ransomware as a tool in their arsenal since it was first used to extort money from victims. While ransomware can be used by state-sponsored threat actors to support state interests, state-sponsored threat actors also deploy ransomware to make money on the side. This form of moonlighting is commonly seen among Chinese- and Russian-sponsored actors. It is currently unclear if state actors operate RA World in any capacity.

Despite speculation linking RA World to the Chinese threat group Bronze Starlight, this connection also remains uncertain. The overlap in attack methodologies, including the use of the NPS tool and Babuk-based payloads, may be coincidental due to the availability of leaked tools. Nevertheless, RA World’s ability to exploit vulnerabilities like those in Palo Alto PAN-OS and Citrix Bleed, coupled with its evolving tactics, emphasizes the importance of heightened cybersecurity measures and vigilance around this growing threat.

The overlap between these various actors also highlights the importance of looking beyond just the ransomware brand when responding to ransomware attacks. Convergence among threat actors remains a persistent threat to organizations as overlaps drive improved tooling.

Sources 

• https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-deployed-in-ra-world-ransomware-attack/

• https://thehackernews.com/2025/02/hackers-exploited-pan-os-flaw-to-deploy.html

• https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

• https://www.sentinelone.com/anthology/ra-group/

• https://www.trendmicro.com/en_ae/research/24/c/multistage-ra-world-ransomware.html

• https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

Active Exploitation of Vulnerability in Palo Alto Networks PAN-OS

Hackers are targeting Palo Alto Networks PAN-OS firewalls and taking advantage of a recently patched vulnerability (CVE-2025-0108) that enables authentication bypass. The high-severity security flaw affects the PAN-OS management web interface and allows an unauthorized network attacker to overcome authentication and run certain PHP scripts, compromising confidentiality and integrity.

What’s Notable and Unique  

• These attacks leverage a PAN-OS path misunderstanding between Nginx and Apache, which makes it possible to bypass authentication. Attackers with network access to the management interface can modify accessible settings to weaken security defenses or obtain intelligence for future attacks.
  
  

• Security researchers demonstrated that the vulnerability could be used to access firewall configurations, harvest private system data, or even change specific PAN-OS settings. One security researcher stated that over 4,400 PAN-OS devices are currently exposing their management interface online.
  
  

• Palo Alto Networks issued a security alert listing the versions impacted by the vulnerability and urging administrators to update their firewalls to newer versions. Although PAN-OS 11.0 is also affected, Palo Alto Networks has no plans to issue any solutions for the product because it has reached end of life. Users are strongly encouraged to switch to a supported version.

Analyst Comments

Palo Alto Networks has confirmed reports of active exploitation aimed at a PAN-OS web management interface vulnerability, and the security upgrades released by Palo Alto should be applied right away by all users who have PAN-OS administration interfaces accessible via the internet. It is highly advised to all enterprises to assess their setups to reduce risk, as protecting management interfaces that are publicly accessible is a fundamental security best practice.

Sources 

• https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

• https://www.bleepingcomputer.com/news/security/hackers-exploit-authentication-bypass-in-palo-alto-networks-pan-os/

• https://security.paloaltonetworks.com/CVE-2025-0108

• https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108

AI Deep Dive Part 1: The History of AI

Artificial intelligence (AI) is a subset of computer science that focuses on creating systems that can replicate human intelligence and problem-solving capabilities. This is accomplished by feeding large amounts of data into machine learning models (MLMs) and processing the data. The result is technology that can simulate human learning, comprehension, problem-solving, decision-making, creativity, and autonomy. 

While often seen as new, cutting-edge technology, AI has been around far longer than most would think. While the concept of AI goes back to ancient philosophers theorizing on life and death, AI as we know it began in the early 1900s. The conception of what AI is began to be portrayed in science fiction by various authors and artists throughout the early 1900s prior to what is commonly known as “the birth of AI.”  

AI Through the Ages 

• The Birth of AI: 1950 – 1956
  
  Computer scientists such as Alan Turing, Arthur Samuel, and John McCarthy set the stage for the beginning of AI. Turing published “Computer Machinery and Intelligence,” which annotated a test of machine intelligence called the Imitation Game. Turing theorized that any machine able to fool a human judge would be classified as artificial intelligence.
  
  

• AI Maturation: 1957 – 1979
  
  The next twenty years showed little growth for AI at a technical level. While the concept of AI became popular in pop culture, funding-backed research was minimal during this period. However, that is not to say that strides towards what AI is today were not made. The first programming languages were created, paving the way for future development. The first AI chatbot was created, which adopted a new approach to AI that we now call deep learning, and the first examples of an autonomous vehicle were created.
  
  

• AI Boom: 1980 – 1987
  
  During the seven-year period known as the AI boom, government funding and associated research significantly increased. The first Association for the Advancement of Artificial Intelligence (AAAI) conference was held at Sanford, and the first driverless car demonstrated its ability to drive up to 55 mph on empty roads.
  
  

• AI Winter: 1987 – 1993
  
  Overall, funding and interest in AI decreased during this period, leading to fewer advancements in the technology than in years prior.
  
  

• AI agents: 1993 – 2011
  
  Despite the initial lack of investment in AI, the technology as a whole significantly increased its capabilities during this time period. Most notably, this is when AI began being integrated into people's daily lives with items such as the Roomba and the release of Apple's virtual assistant, Siri.
  
  

• Early General Artificial Intelligence: 2012 – Present
  
  This brings us up to the current state of AI. The last decade has shown impressive leaps in AI's ability to aid humans in day-to-day functions. This is also accompanied by enormous data collection from well-known companies that are able to train their AI models, which has led to the release of consumer-facing AI models such as ChatGPT, Copilot, and more. 

Conclusion 

AI as a whole is a fast-changing, fluid concept. Organizations regularly unveil new capabilities and breakthroughs. This was especially evident in the recent unveiling of Deepseek and the subsequent data privacy concerns. In a single day, this overturned the sector in one fell swoop. AI will likely remain a constantly changing field in the near term. 

What’s Next? 

Part 2 of the AI Deep Dive will examine the risks and benefits of organizations adopting AI into their business models.  

Sources 

• https://www.accuracy.com/artificial-intelligence-episode-2-the-imitation-game-and-business/#:~:text=Turing%20considered%20that%20any%20machine,machine%20or%20the%20human%20player. 

• https://www.tableau.com/data-insights/ai/history 

• https://www.ibm.com/think/topics/artificial-intelligence

XE Hackers Group Shifts from Credit Card Skimming to Veracore Zero-days 

XE Hackers, a Vietnam-based group previously known for credit card skimming, has recently been exploiting zero-day vulnerabilities in Veracore, a warehouse management software. Up until recently, XE Hackers made their money by selling stolen credit card data on carding forums and monetizing password theft. Recently, the group was detected exploiting two Veracore zero-day vulnerabilities on previously deployed persistent web shells. 

What's Notable and Unique: 

• Previously, security researchers did not believe that XE Hackers had the resources necessary to exploit zero-days. This shift signifies a trend of threat actors favoring persistent access and extortion over general fraud. 

  • This trend coincides with an increase in extortion events using web servers.  

• XE Hackers’ new tactics now pose a threat to supply chains in the manufacturing and distribution sectors.
  
  

• Vulnerabilities exploited by XE Hackers: 

  • CVE-2024-57968 (CVSS score: 9.9) - Allows remote authenticated users to upload files to unintended folders. This vulnerability was resolved in VeraCode version 2024.4.2.1.

  • CVE-2025-25181 (CVSS score: 5.8) - A SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands. No patch is currently available.

Analyst Comments  

This evolution exemplifies threat actors shifting from general cybercrime to more dangerous tactics that can cause increased operational impacts to organizations. Lesser-known threat actors can quickly prove they have the resources and capabilities to become a significant threat. As the number of skilled cybercrime groups grows, it is increasingly important to secure endpoints and maintain thorough event logs to detect suspicious behavior. Zero-day exploitations are difficult to prevent with patching, so detection is crucial. The persistent webshells are also a reminder to keep web servers secure and conduct consistent scans to detect any hidden TA access. 

FBI, Europol, and NCA Take Down 8Base Ransomware 

A concerted law enforcement effort has taken down the 8Base ransomware group's dark web data leak and negotiating websites. The U.S. Federal Bureau of Investigation (FBI), Europol, the U.K. National Crime Agency (NCA), and agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand were all involved in the takedown. According to Thai media sources, four European nationals, two men and two women, were taken into custody on Monday in four different locations during an operation known as Operation Phobos Aetor. 

What's Notable and Unique: 

• According to reports, authorities collected over 40 pieces of evidence, including digital wallets, laptops, and cell phones.
  
  

• 8Base is allegedly connected to the spread of the Phobos ransomware, which was used against 17 Swiss organizations between April 2023 and October 2024. Additionally, the group has been charged with making $16 million from attacks targeting more than 1,000 victims worldwide.
  
  

• Previous research by VMware revealed a Phobos sample with a ".8base" file extension on encrypted files, demonstrating how 8Base, a prominent double extortion actor in 2023, incorporates Phobos ransomware artifacts into its financially motivated cyberattacks.
  
  

• In a news release, Europol said that the four people detained are all Russian citizens accused of using a variant of the Phobos ransomware to extort victims throughout Europe and beyond.
  
  

• Additionally, the operation disrupted over 100 servers connected to the cybercrime network. 

Analyst Comments  

Throughout 2024, there was significant law enforcement pressure on ransomware organizations, and it is encouraging to see this trend continue in 2025. One of the most effective means of reducing ransomware attacks seems to be consistent law enforcement activity. 

Sources 

• https://www.theregister.com/2025/02/10/8base_police_arrrest/ 

• https://www.reuters.com/technology/cybersecurity/four-russians-arrested-phobos-ransomware-crackdown-europol-says-2025-02-11/  

• https://therecord.media/8base-ransomware-site-taken-down-4-arrested

Figure 1. Activity from the top 3 threat groups in January 2025 

Akira

Akira first emerged in April 2023 and quickly established itself as one of the most active ransomware groups. Through the end of 2024, the group remained one of the most prevalent ransomware threats and benefitted from law enforcement’s actions against LockBit and ALPHV. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims. 

Notable TTPs  

• Akira primarily relies on vulnerabilities in Cisco devices to achieve initial access before typically using AnyDesk to maintain persistence and launch various operations. They have also been observed using remote access trojans (RATs) like SystemBC.  
  
  

• Akira will delete Windows Shadow Volume Copies using Powershell and utilize the Windows Restart Manager API to exit processes and services that may prevent encryption.  

Analyst Notes   

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira developed into a ransomware operation that is consistently one of the top variants observed each month. With the exception of April and July, Akira was among the top three most active threat groups throughout 2024. We expect this level of activity will continue in the near term, and organizations should remain vigilant in security measures and consider implementing robust backups to mitigate the impact of a potential ransomware attack. 

Fog 

Fog is a relatively new ransomware group that was first observed in late April 2024. Initially, Fog primarily targeted organizations in the education sector using compromised VPN credentials. Engagements with the ransomware group and victims suggest that the group is expanding its attacks to target other industries.  

Notable TTPs  

• Fog ransomware appends either a “.fog” or “.flocked” extension to the files it encrypts. Ransom notes are named "readme.txt" and contain consistent language, a Tor link for ransom negotiations, and a unique code for victims to access the chat. In June 2024, the group stood up a Tor data leak site they call the "Fog Blog.”
  
  

• Fog is using a variety of tools commonly used by other threat groups, including AnyDesk, Advanced Port Scanner, Netscan, Cobalt Strike, Mimikatz, Splashtop, MegaSync, and FileZilla.  

Analyst Notes   

Fog has been among the most active threat groups since the second half of 2024. Although the group has previously primarily targeted schools and educational organizations, it has since expanded its focus to other industries. Fog has also recently been exploiting a critical SonicWall VPN vulnerability since October 2024, contributing to its consistent activity levels.

RansomHub

RansomHub is a RaaS operation that emerged in January 2024 and is believed to be a rebrand of the Cyclops and Knight ransomware groups. In February, the group was observed recruiting affiliates on the Russian cybercrime forum RAMP. Affiliates reportedly receive 90% of the ransom, with the remaining 10% going to the group’s operators. RansomHub explicitly prohibits attacks on non-profit organizations and specific countries, including the Commonwealth of Independent States, Cuba, North Korea, and China. The threat actors behind RansomHub are located in various global locations and are united by a common goal of financial gain. 

Notable TTPs  

• RansomHub reportedly uses the Cobalt strike platform for lateral movement, the Rcolne tool for data exfiltration, and a cloud file storage service called Wasabi.    
  
  

• RansomHub operates a DLS and threatens to publish sensitive victim data if a payment is not made. The group’s administrators are also known to communicate with media sources.  

Analyst Notes 

Engagements attributed to RansomHub increased rapidly since SJA Labs first observed the group in May 2024, and it quickly established itself as one of the top threat actor groups since July 2024. The group has targeted a wide range of high-profile victims in its short tenure thus far, and the threat actors are clearly not afraid to monetize their efforts in any way possible.

Observed Malware in December 2024  

Jupyter Infostealer: The Jupyter Infostealer, also known as SolarMarker, is a .NET-based malware that has been active since late 2020. It functions as both an information stealer and a backdoor, primarily targeting web browsers, including Chromium, Mozilla Firefox, and Google Chrome. It steals cookies, login credentials, and security certificates from infected systems. Earlier versions had minimal obfuscation and clearly labeled functions, but newer variants are more advanced, employing heavy obfuscation and strong encryption methods like AES and RSA to communicate with command-and-control (C2) servers. More recent versions also use private key signatures and modify PowerShell scripts to appear as legitimate software. These tactics help Jupyter evade security measures by making it seem like a trusted application, improving its chances of avoiding detection. 

ASPXSpy: ASPXSpy is a web shell malware designed to provide attackers with remote control over compromised web servers. Written in ASP.NET, it allows threat actors to execute commands, upload or download files, modify system settings, and conduct further attacks within a network. Because ASPXSpy is lightweight and easily obfuscated, it is often used for persistent access in web-based intrusions. 

Babadeda: Babadeda is a crypter, a tool cybercriminals use to encrypt and obfuscate malicious code, making it harder for security software to detect. Active since at least 2021, Babadeda has been employed to distribute various types of malware, including information stealers, RATs, and ransomware. 

SocGholish: SocGholish is a malware family that disguises itself as software updates to trick users into executing a malicious JavaScript payload, thereby granting the malware control over the compromised system. SocGholish is frequently used by threat actors as an initial access broker, providing entry points for other attackers to exploit. It has been associated with the deployment of secondary payloads like Cobalt Strike, a tool often used for post-exploitation activities, including lateral movement and privilege escalation within a compromised network.  In December 2024, a campaign targeted Kaiser Permanente employees via fraudulent Google Search Ads. These ads impersonated the company's HR portal, leading users to compromised websites that prompted fake browser update notifications. Executing these updates resulted in SocGholish malware infections.

CobaltStrike: CobaltStrike is a legitimate software suite designed for red team operations to conduct security assessments. However, it remains popular among cybercriminals, including ransomware gangs, for its versatility in command-and-control (C2) communications, reconnaissance, and malware delivery. Organizations should monitor for indicators of Cobalt Strike activity, including unusual C2 traffic and unauthorized PowerShell execution. Implementing endpoint detection and regular threat hunting can help mitigate the risk.

Figure 1. Countries where devices were infected by the trojanized XWorm RAT (source: CloudSEK) 

Analyst Comments 

While the idea of targeting entry-level hackers with a trojanized builder may seem like poetic justice, the data set recovered by security researchers revealed the alarming number of individuals worldwide interested in engaging in malicious cyber activity. The ever-growing  

accessibility of information and emerging technologies like AI continue to lower the barrier of entry into cybercrime. Although the focus is typically on threats from the larger ransomware and extortion groups, less-skilled cybercriminals can still cause substantial financial damage and business disruption to the organizations they target. Additionally, the geographic diversity of the infected devices reflects the global threat of cybercrime.   

Sources 

• https://www.cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations

Fake Reddit and WeTransfer Sites Push Lumma Stealer Malware

Threat actors are spreading approximately 1,000 websites that imitate Reddit and the file-sharing website WeTransfer, luring unsuspecting users to download the Lumma information-stealing malware. The malicious sites display a phony Reddit discussion thread on a particular subject. To give an air of credibility, the thread originator requests assistance downloading a specific tool, another user offers to assist by uploading it to WeTransfer and providing the URL, and a third user thanks them for sharing the resource. 

What's Notable and Unique: 

• Unsuspecting victims who click on the link visit fake WeTransfer websites that imitate the user interface of the well-known file-sharing service. The "Download" button leads to the Lumma Stealer payload.

• To feign authenticity, every website featured in this campaign includes a string of the brand they are impersonating, followed by random letters and numbers. The two top-level domains are ".org" and ".net."

• Sekoia researchers discovered these phony websites and offered a comprehensive list of domains involved in the scam. There are 407 pages pretending to be the official WeTransfer service offering a download and 529 pages mimicking Reddit.  

Analyst Comments  

Lumma Stealer is a powerful tool that uses sophisticated data stealing and evasion techniques. Hackers purchase the malware, which they disseminate via various channels, such as malvertising, deepfake-generating websites, and GitHub comments. This information-stealing malware can gather session tokens and passwords saved in web browsers and utilize them to take over accounts without the user's credentials. In this type of attack, threat actors often steal sensitive login information and attempt to sell it on dark web forums. 

Sources 

• https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/  

• https://x.com/crep1x/status/1881404758843699402?mx=2

Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations

In recent years, VMware ESXi appliances have become high-value targets for ransomware groups due to their critical role in virtualized infrastructures. These appliances are increasingly exploited for exfiltrating and encrypting virtual machine images, leading to severe operational disruptions and reputational damage.  

Beyond this, threat actors are leveraging ESXi appliances earlier in the attack chain, using them as a pivot point to tunnel traffic and gain further access to corporate networks. This tactic involves exploiting native tools, like Secure Shell (SSH), to establish stealthy communication channels (e.g., SOCKS tunnels) between the compromised infrastructure and command-and-control (C2) servers. The limited monitoring of ESXi hosts often allows these attacks to proceed undetected, exacerbating the risk and potential impact on affected organizations. 

What’s Notable and Unique  

• In many cases, attackers compromise ESXi appliances by either using administrative credentials or exploiting known vulnerabilities to bypass authentication. They then set up tunneling via native SSH functionality or other common tools, creating a semi-persistent backdoor within the network due to the resilience and rare shutdowns of ESXi appliances.

• In one of the reported incidents, the Abyss Locker ransomware group exploited ESXi appliances and Network Attached Storage (NAS) devices to tunnel traffic within networks, using its Linux ELF encryptor and the "esxcli" VMware ESXi tool to terminate virtual machines and encrypt their virtual disks (.vmdk), metadata (.vmsd), and snapshots (.vmsn). It also encrypts other files on the device, appending the ".crypt" extension and creating ransom notes for each file.

• SJA Labs' Threat Intelligence team identified that the Play and Fox ransomware groups have targeted ESXi hosts, with Play ransomware specifically adding ransom notes as wallpapers to the affected login portals. 

Analyst Comments

Given the increasing sophistication of ransomware attacks targeting ESXi appliances, organizations must prioritize proactive monitoring and log analysis to detect early signs of intrusion. The four key log files (/var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log) offer valuable insights into SSH tunneling and potential ransomware activity, including traces of command execution, administrative actions, login attempts, and firewall rule modifications.  

To improve detection and response capabilities, it is highly recommended that organizations centralize ESXi logs through syslog forwarding and integrate them into a Security Information and Event Management (SIEM) system, enabling more effective identification of anomalies and reducing the risk of undetected attacks. 

Sources

• https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/ 

• https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ssh-tunnels-for-stealthy-vmware-esxi-access/ 

• https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/ 

• https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/

Cybercriminals are Phishing Companies That Use Google Ads with…Google Ads

A new campaign is targeting unsuspecting Google Ads users by phishing for their credentials through Google Ads. Individuals are tricked into entering credentials into what appears to be their Google Ads login page, but is actually a site that mimics the login page being pushed through Google Ads. This unique use of malvertising to gain compromised credentials fuels the fire for broader malvertising campaigns and cybercriminal operations. 

What Happens?  

Once an unsuspecting victim clicks on the fraudulent Google Ads page, they are prompted to enter their Google account information. In addition to account credentials, the phishing kit collects unique information, including cookies and cached browser credentials. Once this is complete, the threat actor attempts to log into the user’s Google Ads account and lock the account holder out. An email indicating a mysterious login attempt is the sole means of identifying this nefarious activity.

What happens next is where things get interesting. Once the threat actor has control of the account, they have two options: 

• Repurpose the account to conduct malvertising campaigns leading to phishing kits, remote access trojans (RATs), information stealers, and other tools to perpetuate cybercriminal activity.

• Expand their reach of Google Ads by using the compromised account to collect additional Google Ads accounts with the same technique, leading to an ever-growing reserve of compromised accounts.

Analyst Comments

The ongoing campaign targeting Google Ads credentials reflects the continued increase in malvertising observed by SJA Labs. This also highlights the need for end users’ heightened scrutiny surrounding communications as threat actor phishing tactics evolve and mature. SJA Labs advises caution in day-to-day operations and encourages end users to be cognizant of the various methods threat actors utilize to gain initial access into victim environments.  

Sources 

• https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads

Rise in Phishing Kits Targeting Microsoft Office 365 Accounts 

Security researchers recently discovered a new phishing kit targeting Microsoft 365 accounts. The kit, called Sneaky 2FA, functions as an Adversary-in-the-Middle (AiTM) kit that can bypass two-factor authentication. Sneaky 2FA has been sold since October 2024 by a cybercrime service called “Sneaky Log” as a phishing-as-a-service (PhaaS) product to steal Microsoft Office 365 credentials. Researchers first observed Sneaky 2FA in December 2024, and it has since been observed in almost 100 domains. 

What’s Notable and Unique  

• The phishing pages are typically hosted on compromised infrastructure, such as WordPress sites or other domains controlled by the threat actor. The fake authentication pages seem more legitimate by employing tactics like automatically populating the user’s email address.

• Sneaky 2FA is the latest arrival in a trend of PhaaS platforms. In 2024, another PhaaS kit, Tycoon 2FA, was sold and used to bypass multi-factor authentication (MFA). MFA is a common tool used to secure user credentials, and cybercriminal activity related to bypassing this authentication method is rising quickly. SJA Labs sees Tycoon 2FA regularly in business email compromise (BEC) response engagements. It is used to steal session cookies, rather than just login credentials.  

Analyst Comments

Increased availability of phishing kits continues to demonstrate the expanding ecosystem of tools enabling cybercrime and the evolution and maturation of phishing tactics employed by threat actors. In 2024, SJA Labs observed phishing as the method of intrusion in 40% of business email compromise (BEC) engagements throughout the year. Phishing kits like Sneaky 2FA and Tycoon 2FA will likely continue to evolve as long as threat actors are able to successfully utilize them to obtain victim credentials. Verifying the legitimacy of links and websites prior to entering credentials remains a critical practice for end users. 

Sources 

• https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/  

• https://www.securitymagazine.com/articles/101308-two-factor-authentication-phishing-kit-targets-microsoft-365-accounts  

• https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit

Funksec: New Threat Group Leverages AI to Build Malware

Funksec is a new ransomware-as-a-service (RaaS) that emerged in December 2024. Over the past month, the group has posted more victims to its data leak site (DLS) than any other ransomware group, surpassing more established groups like Akira and RansomHub. However, cybersecurity researchers recently discovered that this prolific activity from Funksec may actually be the work of inexperienced threat actors leveraging artificial intelligence (AI) to assist them in building malware.  

What’s Notable and Unique  

Since emerging in December, Funksec has aggressively self-promoted its ransomware activities and capabilities, posting over 85 victims on its DLS and even going as far as providing an interview to boast about its capabilities. In addition to the victims, the DLS contains information about purchasing the RaaS and various tools, including a Distributed Denial-of-Service (DDoS) tool and a remote desktop management tool written in C++. Despite the group's seemingly rapid growth, security researchers made several discoveries about Funksec's malware and operations, suggesting the group isn't as sophisticated or prolific as it claims to be. 

• Analysis of the group’s ransomware indicates that the malware was created by an inexperienced developer and contains redundancy and code duplication not typically observed in ransomware, as well as multiple indications that the developer resides in Algeria. Additionally, the group appears to have used AI to assist in the development of its tools and malware.

• Despite the high volume of victims posted on the DLS since December, some of the leaks appear to be data stolen from previous hacktivist-related activity, suggesting that Funksec’s actual activity level is lower than what the DLS claims.

• Funksec reportedly requests ransom amounts as low as $10,000, which is uncommonly low compared to other active RaaS groups.   

Analyst Comments

While it is too early to assess the threat this new group will pose in 2025, Funksec is not the first to leverage its DLS to give an inflated appearance of their activity levels. What's more notable is the use of AI in creating the tools and malware used by the new ransomware group. AI is more commonly observed in creating phishing and social engineering campaigns, but it was only a matter of time before novice cybercriminals leveraged it to build the tools and malware for conducting ransomware attacks. 

Sources 

• https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ 

• https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/  

• https://www.ransomlook.io/stats

Infostealer Disguised as PoC Code Exploiting Recent LDAP Vulnerability

Threat actors are distributing information-stealing malware disguised as proof-of-concept (PoC) exploit code for a recently discovered Windows Lightweight Directory Access Protocol (LDAP) vulnerability. The vulnerability, identified as CVE-2024-49113 and named LDAPNightmare, can lead to denial-of-service (DoS) attacks. It was patched in a security update issued on December 10, 2024. 

What’s Notable and Unique  

• This fake PoC exploit is designed to deceive security researchers into downloading and executing information-stealing malware. The malicious repository appears to be a fork of the original, where the Python files have been replaced with an executable, poc.exe, packed using UPX. When executed, the file drops and runs a PowerShell script in the %Temp% folder, creating a Scheduled Job that triggers an encoded script.

• Once decoded, the script retrieves another script from Pastebin to collect the victim's public IP address and upload it via FTP. It then gathers and compresses system information, including computer details, process lists, directory lists, network IPs, network adapters, and installed updates, before uploading the data to an external FTP server using hardcoded credentials. 

Analyst Comments

Our security researchers remain vigilant in continuously monitoring the tactics, techniques, and procedures (TTPs) associated with information-stealer malware. By leveraging cutting-edge detection capabilities and analyzing emerging attack methods, we can swiftly identify and block threats aimed at exploiting vulnerabilities, such as the LDAP vulnerability that could lead to denial-of-service (DoS) attacks. Our ongoing commitment to proactive security research and incident response ensures that potential threats—whether designed to steal sensitive information or disrupt services—are effectively neutralized before they can cause significant damage. This comprehensive approach helps safeguard both our infrastructure and the critical data of our clients from evolving cyber threats

Sources 

• https://www.securityweek.com/infostealer-masquerades-as-poc-code-targeting-recent-ldap-vulnerability/ 

• https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html 

AWS Falls Victim to Ransomware  

An emerging ransomware group dubbed Codefinger has been observed encrypting objects within the Amazon Web Services (AWS) Simple Storage Service (S3). While exposed buckets are a common target of extortionists looking for a payday, this is the first known instance of AWS cloud infrastructure being the target of encryption. The threat actor is able to accomplish data encryption in the S3 buckets, which are cloud storage containers for storing various types of data, by utilizing a native encryption function built into the AWS S3 services called SSE-C.  

What’s Notable and Unique  

• SSE-C allows AWS users to encrypt and secure their data by creating their own encryption key. AWS does not store the key, which is what ultimately allowed attackers to abuse this encryption capability. The threat actors associated with Codefinger gained access to the AWS services using compromised credentials before encrypting the victim data with the SSE-C functionality, forcing the victims to pay for the data or lose access to the encrypted data.

• In previous SJA Labs engagements with data exfiltration through S3 buckets, the ransom demands have always been nominal. This, coupled with the fact that victims are less likely to pay cybercriminals demands in instances where there is no data encryption, kept the overall impact on the threat landscape low. However, with the newly identified encryption method showcased by Codefinger, it is possible that both the ransom demands and the likelihood of ransom payments will increase.

• It should be noted that native encryption capabilities are available in a variety of software and operating systems, with the most commonly abused being the Windows encryption tool Bitlocker. 

Analyst Comments  

The encryption of data held within the cloud is uniquely interesting because it opens the door to a whole new playing field for cybercriminals, with many organizations potentially operating under a false sense of security. It is still too early to tell with a high degree of confidence whether this encryption method will be adopted by other threat groups, or if Codefinger will become a prolific cybercrime group. However, should this tactic be heavily adopted, it could significantly increase the threat landscape available to cybercriminals. 

Sources 

• https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c