Cybersecurity News

Figure 1. Activity from the top 5 threat groups in March 2025 

Akira

In 2024, Akira was the most active threat group observed throughout the year and benefited from law enforcement actions that disrupted LockBit and ALPHV’s operations. Akira was one of the top variants observed every month and was responsible for almost 15% of all ransomware and extortion activity in 2024. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims. 

Notable TTPs  

• Akira primarily exploits software vulnerabilities to achieve initial access before typically using AnyDesk to maintain persistence and launch various operations. For example, in Q4 and early 2025, Akira found continued success targeting a critical SonicWall VPN access control flaw (CVE-2024-40766).

• Akira will delete Windows Shadow Volume Copies using Powershell and utilize the Windows Restart Manager API to exit processes and services that may be preventing encryption.

Analyst Notes 

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira ultimately dominated the ransomware landscape for the majority of 2024. The group maintained consistent, high levels of activity throughout the year and was the most active group from Q2 through Q4 2024. Akira continues to be a dominant ransomware threat in 2025 and has already been the most active group observed each month since the year began. 

Luna Moth 

Luna Moth is an extortion-only cybercrime group active since at least 2022. They rely on callback phishing campaigns for initial entry, typically sending fake invoices that prompt recipients to call the threat actor. Luna Moth then has the victim download a publicly available remote administration tool. The group's primary focus is gaining access to sensitive documents and demanding payment to withhold the publication of the stolen data. Luna Moth has been observed compromising multiple victims in one campaign but then waiting several months to extort the victims. 

Notable TTPs  

• Luna Moth primarily employs remote administration tools (RATs), such as Atera, Splashtop, Syncro, and AnyDesk, to control compromised devices and Rclone or WinSCP for exfiltration.

• Luna Moth utilizes phishing and exfiltration domains as part of its infrastructure and frequently utilizes callback phishing as a tactic. Based on our internal datasets, Luna Moth seems to primarily target law firms.  

Analyst Notes 

Luna Moth operates using publicly available legitimate tools and social engineering, making detecting their operations very difficult. Educating users on the threat of callback phishing is a key defensive measure for preventing Luna Moth attacks.

RansomHub

RansomHub is a RaaS operation that emerged in January 2024 and is believed to be a rebrand of the Cyclops and Knight ransomware groups. The group has targeted a wide range of high-profile victims since it emerged, including telecom giant Frontier and British auction house Christie's. RansomHub also demonstrates a willingness to allow individual affiliates and existing threat groups like Scattered Spider to use its RaaS. 

Notable TTPs  

• RansomHub operates a DLS and will threaten to publish sensitive victim data if a payment is not made. The group’s administrators are also known to communicate with media sources.

• Since 2024, RansomHub has been observed using a tool called EDRKillShifter, which employs a technique known as Bring Your Own Vulnerable Driver (BYOVD). In this technique, a legitimate driver–such as the Zemana Anti-Malware kernel driver or the Avast Anti-Rootkit driver–with known vulnerabilities is installed and exploited to gain kernel-level privileges. With EDRKillShifter, these privileges are ultimately used to disable endpoint detection and response (EDR) tools on the victim's systems.

Analyst Notes

Engagements attributed to RansomHub increased rapidly since we first observed them in May 2024, and the group quickly established itself as one of the top threat actor groups since July 2024. The group has targeted a wide range of high-profile victims in its short tenure thus far, and the threat actors are clearly not afraid to monetize their efforts in any way possible.

INC Ransom 

INC Ransom was first observed in July 2023 and primarily uses phishing emails and exploits known vulnerabilities to gain initial access to victim networks. Reports from 2024 indicated that INC was considering selling its source code, and several similarities have been observed between INC and a new group that formed in mid-May 2024 and called itself Lynx. However, INC Ransom continues to operate, and we have observed an uptick in attacks from INC in 2025. 

Notable TTPs  

• In 2025 thus far, we have observed INC Ransom exploiting vulnerabilities in SimpleHelp RMM software, which could be a factor in the recent increase in INC ransomware incidents observed in March. INC has also been observed using AnyDesk, Advanced IP Scanner, Mimikatz, Netscan, Process Hacker, and the file-infecting Neshta malware. 

Analyst Notes  

INC Ransom appears to have increased its activity in 2025 and has been observed in almost as many incidents so far in 2025 as in the entirety of 2024. Despite reports of the group selling its source code last year, INC continues to operate. However, it is too early to assess if the group will maintain a higher rate of activity in 2025 or if this increase reflects the group's recent success with exploiting the SimpleHelp RMM vulnerability.   

Malware Observed in March 2025

PureLog Stealer: PureLog Stealer is a malware designed to extract sensitive information from compromised systems, primarily targeting browser data, including browsing history, cookies, stored login credentials, and clipboard content. It typically propagates through phishing campaigns, malicious attachments, or harmful advertisements, running silently in the background while routinely exfiltrating collected data to designated command-and-control servers. This stealer is associated with the larger Pure Malware Family, which includes tools like PureCrypter and is frequently deployed via loaders that utilize advanced obfuscation and packing methods to hinder detection and static analysis.  

Neshta: Neshta is a file-infecting malware that primarily targets Windows systems by injecting malicious code into executable (.exe) files. It spreads through infected downloads, email attachments, compromised software updates, and removable drives. Once active, Neshta modifies the Windows registry to ensure persistence, often masquerading as legitimate system processes like “svchost.com” to evade detection. The malware continuously infects other executables on the system, making removal challenging.   

In addition to its file-infecting behavior, Neshta can serve as a backdoor, enabling cybercriminals to steal sensitive information, deploy additional malware, and scout the system for further attacks. Its persistence mechanisms, such as modifying registry keys and embedding itself in critical system files, often necessitate specialized removal tools or full OS reinstallation in severe cases. Security researchers have observed that newer variants of Neshta integrate advanced obfuscation techniques, making them more resistant to traditional antivirus detection.   

AsyncRAT: AsyncRAT is an open-source remote access trojan (RAT) that first appeared in 2019. Written in C#, it enables cybercriminals to remotely control compromised systems, facilitating data theft, command execution, screenshot capture, and full system control. Attackers employ various strategies to spread AsyncRAT, including phishing emails, malvertising, and exploit kits.  

As of early 2025, AsyncRAT has evolved with notable advancements. Recent campaigns have utilized Python-based malware and TryCloudflare tunnels to enhance stealth and bypass security measures. Payloads are delivered via Dropbox URLs and temporary TryCloudflare tunnel infrastructure, tricking recipients into trusting their authenticity.  

NetSupportRAT: NetSupportRAT is a RAT derived from the legitimate NetSupport Manager software. While NetSupport Manager is intended for authorized remote system administration, threat actors have repurposed it to gain unauthorized control over targeted devices. Once deployed, NetSupportRAT allows attackers to access and manipulate data, execute additional payloads, monitor screens in real-time, and capture screenshots, audio, and video. These unauthorized versions are often distributed through underground marketplaces. 

In early 2025, cybercriminals have been observed employing social engineering techniques to enhance infection rates. Notably, the "ClickFix" method has been observed, where users are deceived into executing malicious PowerShell commands via fake CAPTCHA pages embedded in compromised websites. This approach facilitates the download and installation of NetSupportRAT, granting attackers full control over the compromised systems. 

Babadeda: Babadeda is a sophisticated crypter that enables cybercriminals to encrypt and obfuscate malicious software, effectively concealing its true nature. This advanced obfuscation allows malware to evade detection by many antivirus solutions, resulting in notably low detection rates. Babadeda has been linked to the distribution of various malicious payloads, including RATs like BitRAT and Remcos, information stealers, and ransomware.

RansomHub Leverages New “Betruger” Backdoor 

Security researchers have discovered a custom backdoor called "Betruger" that has been linked to several recent RansomHub ransomware attacks. The Betruger malware is highly sophisticated, offering various built-in capabilities to minimize the number of malicious tools required during ransomware attacks. Unlike typical ransomware that relies on public malware tools like Mimikatz and Cobalt Strike, Betruger is designed to perform multiple functions, streamlining the attack process. 

What's Notable and Unique

• Analysis of the Betruger backdoor revealed that it incorporates functionality typically found in several pre-ransomware tools, such as screenshotting, keylogging, uploading files to a command and control (C2) server, network scanning, privilege escalation, and credential dumping.

• The functionality of Betruger suggests that it may have been developed to reduce the number of new tools deployed on a targeted network while preparing for a ransomware attack. 

• Betruger is commonly disguised with filenames such as 'mailer.exe' and 'turbomailer.exe' to make it appear as legitimate software. However, the backdoor has no actual mailing functionality, and it is likely that threat actors chose these names to mimic a legitimate application and avoid detection.

• Betruger is one of several tools used by RansomHub affiliates in recent months as they leverage techniques like Bring Your Own Vulnerable Driver (BYVOD) to disable security solutions. Additionally, RansomHub exploits vulnerabilities such as CVE-2022-24521 (Windows Privilege Escalation) and CVE-2023-27532 (Veeam Backup credential leak). Other tools commonly used include Impacket, Rclone, Mimikatz, ScreenConnect, and SystemBC to facilitate credential dumping, remote access, and data exfiltration. 

Analyst Comments 

RansomHub was one of the top RaaS groups to emerge in the second half of 2024.  RansomHub rapidly expanded its operations and displayed a willingness to work with individual affiliates as well as existing threat groups. The development of highly sophisticated malware like Betruger demonstrates the group’s ability to continuously improve its capabilities and further positions RansomHub as a major player in 2025’s ransomware threat landscape. 

Sources

• https://www.security.com/threat-intelligence/ransomhub-betruger-backdoor 

• https://www.bleepingcomputer.com/news/security/ransomhub-ransomware-uses-new-betruger-multi-function-backdoor/

VanHelsing RaaS Emerges in March

A new RaaS, VanHelsing, emerged in early March 2025 and has been posting advertisements on the RAMP dark web forum promoting their ransomware services and payment terms to attract new affiliates. The ransomware itself is written in C++ and uses the ChaCha20 algorithm for file encryption, appending ‘.vanhelsing’ on encrypted files, changing the victim’s wallpaper to display VanHelsing’s name and logo, and leaving behind a ‘README.txt’ ransom note directing victims to a Tor chat for communication. Like most RaaS organizations, the group also has a dedicated data leak site (DLS) where they threaten to leak victim data as an additional pressure tactic.  

What's Notable and Unique

• VanHelsing’s RAMP post promotes the cross-platform functionality of its ransomware, as it can reportedly target Windows, Linux, BSD, ARM, and ESXi systems.

• While the group has a similar payment split to other RaaS, with affiliates keeping 80% of the ransom payment and VanHelsing taking the remaining 20%, the group also allows affiliates with a “good reputation” to join for free and new or less experienced affiliates to join as long as they pay a $5,000 deposit.  

Analyst Comments

While it’s too early to assess how successful or active the new VanHelsing RaaS will be, the group does have several offerings that could entice new affiliates. Most notably, the relatively low deposit required to join the RaaS lowers the bar of entry for new and less experienced hackers. Additionally, the ransomware’s ability to target more than just Windows systems adds to the potential threat posed by this new RaaS.  

Sources 

• https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/

• https://www.cyfirma.com/research/vanhelsing-ransomware/

Source: https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/

Conclusion

In the right hands, AI is a powerful tool for productivity and advancement, but the potential risks associated with the growth of AI in connection with illegal activity such as cybercrime should be carefully monitored and addressed. Both the unintended negative effects of biases and the use of AI by cybercriminals highlight the challenges for evolving safeguards and controls protecting correct and ethical AI use. 

Sources 

• https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206&qid=1631923538517  

• https://medium.com/@loriaustex/5-things-you-must-know-now-about-the-coming-eu-ai-regulation-d2f8b4b2a4a9  

• https://www.ibm.com/think/topics/shedding-light-on-ai-bias-with-real-world-examples  

• https://www.bitdefender.com/en-us/blog/businessinsights/funksec-an-ai-centric-and-affiliate-powered-ransomware-group  

Akira

Akira first emerged in April 2023 and quickly established itself as one of the most active ransomware groups. Through the end of 2024, the group remained one of the most prevalent ransomware threats and benefitted from law enforcement’s actions against LockBit and ALPHV. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims.   

Notable TTPs

• Akira primarily exploits software vulnerabilities to achieve initial access before typically using AnyDesk to maintain persistence and launch various operations. For example, in Q4 and early 2025, Akira found continued success targeting a critical SonicWall VPN access control flaw (CVE-2024-40766).
  
  

• Akira will delete Windows Shadow Volume Copies using Powershell and utilize the Windows Restart Manager API to exit processes and services that may prevent encryption.  

Analyst Notes

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira ultimately dominated the ransomware landscape for the majority of 2024. The group maintained consistent, high levels of activity throughout the year and was the most active group from Q2 through Q4 2024. Given Akira’s consistent activity levels and adaptability, the group will likely continue to be the dominant ransomware threat in 2025 and was already the most active group observed in January and February.

BianLian

BianLian is an extortion group first observed in June 2022. Initially, the group operated with a double extortion model, but around January 2023, it shifted to an extortion-only model after a decryptor for its ransomware executable was released. Since then, BianLian has remained a data extortion-only threat group, typically gaining initial access via Remote Desktop Protocol (RDP) credentials or third-party remote access tools. 

Notable TTPs

• BianLian has a Trojan developed in the Go programming language, which it uses to retain access to a victim's environment. The Trojan's use of Go enables quick modification of the code, evasion of detection, and increased difficulty for researchers to analyze.
  
  

• Since switching to extortion-only, BianLian is notorious for its highly aggressive pressure tactics and is known to repeatedly call and message employees of the victimized companies to get victims to pay the ransom.  

Analyst Notes

Although the BianLian extortion group is rarely among the most active groups month-to-month, it has remained a consistent threat since 2022. By focusing on data theft only, the group became proficient in impacting the highest average number of individuals in each data breach. Coupled with aggressive pressure tactics, this resulted in victims paying a ransom in 52% of all BianLian engagements in 2024, in contrast to just 29% of engagements for all threat groups combined. Given its extortion successes, we anticipate the group will remain a persistent threat throughout 2025.  

Since late February 2025, we have observed several incidents involving ransom letters sent via the postal service and claiming to be from BianLian. Information collected through our various engagements and available open-source reporting has not definitively confirmed who is sending these letters, but it is unlikely the ransom letters originated from the BianLian extortion group. Additionally, we have not discovered any indications of data exfiltration from the engagements we have investigated for clients who received one of these letters. On Thursday, March 6th the FBI issued a public service announcement which stated they found no connections to BianLian, and assessed the letters were likely a scam.

Cactus

Cactus ransomware was first discovered in the wild in March 2023. The group uses double extortion tactics, encrypting compromised networks and stealing sensitive data. Cactus employs a dynamic approach to encryption, utilizing many tools and techniques to ensure its malicious payload is delivered effectively and covertly and demonstrating a sophisticated understanding of evasion techniques. 

Notable TTPs

• Cactus ransomware targets Linux, Windows, and ESXi systems and typically executes a batch script that uninstalls most commonly used antivirus products. Additionally, Cactus uses a custom onion network webmail link to communicate with victims and operates a DLS to post victim data.
  
  

• In 2025, we have observed Cactus engaging in vishing campaigns via external Microsoft Teams accounts, targeting multiple users within victim tenants to gain initial access using the Quick Assist/RemoteHelp tool or the remote-control features in Microsoft Teams.

Analyst Notes

Cactus was relatively quiet in 2024 and only accounted for a little over 1% of all ransomware and extortion engagements for the entire year. It is too early to tell if the increase in activity is a result of the social engineering tactic the group has recently used or if Cactus will evolve into a more persistent threat in 2025.   

Malware Observed in February 2025

Neshta: Neshta is a file-infecting malware that primarily targets Windows systems by injecting malicious code into executable (.exe) files. It spreads through infected downloads, email attachments, compromised software updates, and removable drives. Once active, Neshta modifies the Windows registry to ensure persistence, often masquerading as legitimate system processes like “svchost.com” to evade detection. The malware continuously infects other executables on the system, making removal challenging.  

In addition to its file-infecting behavior, Neshta can serve as a backdoor, enabling cybercriminals to steal sensitive information, deploy additional malware, and scout the system for further attacks. Its persistence mechanisms, such as modifying registry keys and embedding itself in critical system files, often necessitate specialized removal tools or full OS reinstallation in severe cases. Security researchers have observed that newer variants of Neshta integrate advanced obfuscation techniques, making them more resistant to traditional antivirus detection.  

RedLine: RedLine Stealer, an information-stealing malware first identified in 2020, operates on a Malware-as-a-Service (MaaS) model, allowing affiliates to purchase subscriptions or lifetime licenses to access a control panel that generates malware samples and functions as a command-and-control server. The malware collects a wide array of sensitive information, including local cryptocurrency wallets, cookies, saved credentials, and saved credit card details from browsers and saved data from applications like Steam, Discord, Telegram, and various desktop VPN clients. In October 2024, an international law enforcement operation called Operation Magnus, led by the Dutch National Police, the FBI, Eurojust, and other agencies, targeted the RedLine Stealer infrastructure. As a result, authorities took down three servers in the Netherlands and seized two domains. 

Lumma Stealer: Lumma Stealer, also known as LummaC2, is an information-stealing malware that first appeared in late 2022. Developed in the C programming language, it operates under a MaaS model, allowing cybercriminals to purchase and deploy it with relative ease. The malware primarily targets sensitive information such as cryptocurrency wallets, browser-stored passwords, and two-factor authentication (2FA) data. 

In 2024, Lumma Stealer's activity escalated, with its developers adopting more sophisticated tactics to compromise victims. One notable method involved fake CAPTCHA verification pages that appeared legitimate. Users attempting to complete the CAPTCHA triggered a hidden PowerShell command, downloading and executing the malware on their systems. 

SocGholish: SocGholish, also known as "FakeUpdates," is a JavaScript-based malware family that primarily employs social engineering tactics, masquerading as legitimate software updates to deceive users into downloading malicious payloads. Cybercriminals infiltrate legitimate websites by embedding harmful JavaScript code. When users access these compromised sites, they are presented with misleading prompts—such as counterfeit browser update alerts—persuading them to download and run malicious files. This tactic serves as the entry point for malware infection. Over time, SocGholish has evolved, employing sophisticated techniques to evade detection. Recent campaigns utilized complex infection chains involving JavaScript, PowerShell, and compressed files to bypass security measures, and in 2025, SocGholish continues to be a prevalent threat. 

AsyncRat: AsyncRAT is an open-source remote access trojan (RAT) that first appeared in 2019. Written in C#, it enables cybercriminals to remotely control compromised systems, facilitating activities such as data theft, command execution, screenshot capture, and full system control. Attackers employ various strategies to spread AsyncRAT, including phishing emails, malvertising, and exploit kits. 

As of early 2025, AsyncRAT has evolved with notable advancements. Recent campaigns have utilized Python-based malware and TryCloudflare tunnels to enhance stealth and bypass security measures. Payloads are delivered via Dropbox URLs and temporary TryCloudflare tunnel infrastructure, tricking recipients into trusting their authenticity.

AI Deep Dive Part 2: Data Privacy Concerns 

A few weeks ago, we outlined the history of artificial intelligence (AI). Today, we continue that conversation, exploring data privacy concerns associated with AI tools. AI use cases are often showcased to consumers without warning of potential dangers in their application. When a service is free, your data is often the cost of entry. 

Today, we dive into three key elements of data privacy concerns in AI:

• What information are you exposing publicly?  

• What data are you putting into AI applications?  

• And finally, how are you storing your data? 

Operations Security (OPSEC): What information are you exposing publicly?

The public release of information can lead to both positive and negative outcomes. Classification by compilation, in which a series of seemingly harmless pieces of information are pieced together in open source, leading to exposure of proprietary, sensitive information, gives credence to the age-old saying, “Loose lips sink ships.” 

You may be wondering what this has to do with AI. Any information posted publicly can be used by developers to train AI algorithms. This could lead organizations to aid their competitors indirectly, should they choose to use the same AI platforms. An example of this is a 2023 lawsuit filed by artists against a number of companies that own AI image-generating tools. The artists argued that the AI companies used their art to train algorithms without the artists being properly compensated. The court ultimately ruled against the artists, demonstrating that it is extremely difficult to prove what data was used to train AI algorithms.

What data are you putting into AI applications?

As the use of AI continues to expand, users should carefully consider what data they are exposing. When using popular public-facing AI platforms, such as those created by OpenAI, Microsoft, and Amazon, users must be aware of the type of data they input. Sensitive data, including client information, PII, and trade secrets, should not be used to prompt public-facing AI tools. Inputs into these tools are used to further train the algorithm and develop these tools.

How are you storing your data?

When an organization decides to create or collaborate on a new AI model, large amounts of data are required to train it. When considering where to store such data, cloud storage appears as an attractive option. However, it is also important to consider the options and risks associated with data storage.

One example of such risk is the May 2024 data breach suffered by cloud-based data storage company Snowflake.

The threat actor responsible for the breach, UNC5537, subsequently extorted Snowflake, leading to at least $2.7 million in ransom payments for data suppression. This attack was primarily driven by compromised credentials without MFA, demonstrating the need for organizations to not only assess their third-party risk exposure but also continually implement security best practices.

Conclusion

AI is a powerful tool for organizations looking to enable employees to work within their strengths and increase efficiency. However, the improper use of AI can have disastrous effects. It is important for organizations to develop policies and training on the implementation and use of AI to set employees up for success and ensure the security of their environments. Tune in next week for the final installment of AI Deep Dive: Understanding Biases & How Threat Actors Use AI.

Sources 

• https://x.com/Cyberknow20/status/1797164649408061453

• https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials

Suspected North Korean Actors Pull off the Largest Crypto Heist in History

On February 21st, 2025, approximately $1.4 billion USD in Ethereum was stolen from cryptocurrency exchange Bybit. Ethereum held a price of $2600 per token as of February 21st and is one of many cryptocurrencies the exchange holds. Some quick division shows that at least 500,000 Ethereum coins were stolen, making this the largest crypto heist to date in value. Both TRM Labs and Chainalysis have assessed the threat actor to be associated with North Korea with high confidence due to an overlap in crypto wallets tracked as belonging to North Korea.

What's Notable and Unique: 

• North Korea has a long history of financial fraud, money laundering, and other illicit activity. Members of the Democratic People’s Republic of Korea (DPRK) military regularly participate in illicit activities, including remote worker fraud, cryptocurrency hijacking and mining, money mules, wire fraud, and even ransomware. These cybercriminal activities allow DPRK to bypass international sanctions to raise funds for their military.
  
  

• The threat actors compromised one of Bybit’s offline cold wallets, digital wallets that store private keys needed to access other cryptocurrency wallets completely offline. Due to the wallet being disconnected from the internet, the most likely sources of the compromise were a supply chain attack, insider threat, or a private key compromise.
  
  

• The alleged North Korean threat actors may not be able to fully monetize the theft. The funds must now be laundered before being taken out at another exchange, as most of the initial wallets to which funds were transferred have been marked as having stolen funds on legitimate cryptocurrency exchanges. The laundering will likely be a two-step process. First, the funds will be exchanged for a native cryptocurrency, such as Ether or BTC, as it is difficult to track stolen funds across cryptocurrency blockchain transfers. Next, the actors will attempt to cover their tracks further by layering the funds to throw investigators off their trail. Shortly after the compromise the actor used 50 wallets and placed 10,000 coins in each, further supporting the alleged theft of 500,000 coins in total.
  
  

• Bybit has offered a 10% bounty on the stolen coins, leading to a potential purse of $140 million. So far, $42.89 million of the stolen funds have been frozen. However, it is unclear whether this is the work of bounty hunters, law enforcement, or Bybit.

Conclusion 

While crypto-related attacks may seem like a new concept at face value, this is the most recent heist in a string traversing ten years. In 2024 alone, North Korean threat actors were associated with $1.5 billion out of $2.2 billion in theft. With North Korea conducting these thefts, the funds enter a broader cybercriminal ecosystem, increasingly invading the insurance ecosystem. Most recently, these threats have expanded into North Koreans fraudulently joining North American and European companies, stealing their source code, and then extorting the companies. Funds stolen in cryptocurrency thefts like the Bybit thefts are funding infrastructure supporting this increasingly stealthy form of extortion, consequently resulting in funds supporting the North Korean military.

Fortunately, as threat actors and money launderers strengthen their ability to hide stolen money, blockchain analytic techniques and toolsets have also evolved. Often, the best way to prevent crypto heists and cybercrime is to implement sound security principles, including password management, vulnerability patching, and end user training.

Sources 

• https://www.trmlabs.com/post/trm-links-north-korea-to-record-1-5-billion-record-hack

• https://www.infosecurity-magazine.com/news/bybit-140m-bounty-recover-mega/ 

• https://www.benzinga.com/markets/cryptocurrency/25/02/43905078/bybit-nears-recovery-after-crypto-heist-freezes-42-89-million-in-stolen-funds-secures-1-23-billion-in-eth-through-whales-and-loans

• https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/

Medusa Leveraging EDR Evasion Tool

The Medusa ransomware group was recently observed utilizing the Poortry tool to evade endpoint detection and response (EDR) software when attacking victims. Poortry is a tool that uses a modified kernel driver to bypass or disable EDR software and has been a threat since 2022. It leverages three core capabilities to evade most built-in driver protection capabilities, including abusing leaked certificates, forging signature timestamps, and bypassing Microsoft attestation signing. In the recent Medusa campaign, the threat actor primarily leverages signatures from Chinese technical universities. However, this does not indicate that the group is working with the Chinese. 

What’s Notable and Unique

• Emerging as a threat in 2022, Poortry’s developers continue to modify their drivers so they can effectively evade EDR software. In July 2024, researchers discovered a version of Poortry that could completely delete components of the EDR software instead of just evading detection.
  
  

• Some of the drivers observed in the Medusa engagements had expired or illegitimate certificates that were named to appear as legitimate EDR drivers. In particular, the drivers were masquerading as CrowdStrike Falcon and Palo Alto Cortex.
  
  

• Medusa is not the only threat group that uses the tool. Since 2022, researchers have also identified Cuba, ALPHV/BlackCat, LockBit, and RansomHub leveraging Poortry in attacks.

Analyst Comments

An increase was observed in the use of EDR killers by multiple threat groups in 2024, and this trend will likely continue in 2025 as more organizations rely on EDR solutions to secure their environment. Most driver-based EDR evasion methods rely on a technique known as Bring Your Own Vulnerable Driver (BYOVD), in which a threat actor will install a legitimate driver with known vulnerabilities onto a victim machine and then exploit them to gain privileges. Behavioral protection rules and blocking downloads of system-level drivers within EDRs can help counter these tools, and it is important for organizations to keep their systems updated and maintain adequate separation between user and admin privileges to limit threat actors’ ability to install vulnerable or malicious drivers.

In the case of Poortry, the EDR evasion capabilities rest in the tool’s ability to bypass legitimate protection on driver downloads. The tool then either deletes or terminates EDR processes. The most critical components for protecting against this type of functionality are restricting the ability to tamper with or uninstall EDR and enabling alerting when devices are removed from an EDR maintenance console.

Sources 

• https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

• https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/

Sanctions Against Zservers

On February 11th, 2025, the US Treasury Department, along with the UK and Australian governments, sanctioned the bulletproof hosting provider Zservers, their registered company name XHOST Internet Solutions LP, and six administrators for providing support to ransomware groups –particularly LockBit ransomware-as-a-service (RaaS) affiliates. Additionally, on February 12th, law enforcement in the Netherlands seized 127 servers used by Zservers/XHOST following a yearlong investigation of the hosting provider.  

What is Bulletproof Hosting?

Bulletproof hosting (BPH) providers are hosting services that offer anonymity from law enforcement. They are part of the cybercrime-as-a-service ecosystem and sell access to servers and infrastructure for operating and conducting cyberattacks and other criminal activity. BPHs market themselves on dark web forums and use techniques in their networks and architecture that make it difficult for law enforcement to identify and track users paying for their services.

Analyst Comments

To assess these potential sanctions issues accurately, we will leverage Autonomous System Numbers (ASNs) associated with the hosting provider and the known cryptocurrency wallets the administrators use. SJA Labs tracks ASNs and hosting providers used by threat actors as part of our robust attribution, tracking, and due diligence processes for compliance with the Department of the Treasury’s Office of Foreign Asset Controls (OFAC) and Anti-Money Laundering (AML) frameworks. As ASN and routing assignments change, we will continuously monitor the Zserver/XHOST infrastructure to capture its use by threat actors. Despite its widespread usage, XHOST infrastructure is not often the primary infrastructure leveraged by threat actors and was observed in only 2% of ransomware and extortion engagements to date. Further, the law enforcement seizures of the Zservers and XHOST servers will render most of the currently registered infrastructure unusable by threat actors, further limiting the impact of potential sanctions on current and future engagements.

Sources

• https://home.treasury.gov/news/press-releases/sb0018

• https://www.gov.uk/government/news/new-uk-sanctions-target-russian-cybercrime-network

• https://therecord.media/zservers-russia-bulletproof-hosting-us-uk-sanctions

• https://www.politie.nl/nieuws/2025/februari/13/politie-amsterdam-ontmantelt-digitaal-crimineel-netwerk-127-servers-offline-gehaald.html

• https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers

RA World’s Suspected Link to Chinese Espionage Groups

The threat actor RA World was observed using a toolkit linked to a China-based cyber espionage group to carry out a ransomware attack, raising questions about the link between the ransomware group and Chinese state-sponsored groups. The attack, carried out in November 2024, deployed the PlugX payload, which has been observed in several instances of cyber espionage. PlugX malware is typically used to establish persistence and install backdoors. The November intrusion saw PlugX malware used against a medium-sized software and services company in South Asia.

What's Notable and Unique: 

• Though no infection vector was found, the attacker said they exploited CVE-2004-0012, a known vulnerability in the PAN-OS firewall that has been exploited by state-sponsored and ransomware actors.
  
  

• Palo Alto researchers previously found connections between RA World and Bronze Starlight (AKA Emperor Dragonfly or Storm-401), a China-based threat actor known for using ransomware groups.
  
  

• While China has a history of allowing its state-affiliated threat actors to moonlight, the use of traditional espionage tools for ransomware attacks is generally not allowed. 

Analyst Comments

State-sponsored threat actors have used ransomware as a tool in their arsenal since it was first used to extort money from victims. While ransomware can be used by state-sponsored threat actors to support state interests, state-sponsored threat actors also deploy ransomware to make money on the side. This form of moonlighting is commonly seen among Chinese- and Russian-sponsored actors. It is currently unclear if state actors operate RA World in any capacity.

Despite speculation linking RA World to the Chinese threat group Bronze Starlight, this connection also remains uncertain. The overlap in attack methodologies, including the use of the NPS tool and Babuk-based payloads, may be coincidental due to the availability of leaked tools. Nevertheless, RA World’s ability to exploit vulnerabilities like those in Palo Alto PAN-OS and Citrix Bleed, coupled with its evolving tactics, emphasizes the importance of heightened cybersecurity measures and vigilance around this growing threat.

The overlap between these various actors also highlights the importance of looking beyond just the ransomware brand when responding to ransomware attacks. Convergence among threat actors remains a persistent threat to organizations as overlaps drive improved tooling.

Sources 

• https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-deployed-in-ra-world-ransomware-attack/

• https://thehackernews.com/2025/02/hackers-exploited-pan-os-flaw-to-deploy.html

• https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

• https://www.sentinelone.com/anthology/ra-group/

• https://www.trendmicro.com/en_ae/research/24/c/multistage-ra-world-ransomware.html

• https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

Active Exploitation of Vulnerability in Palo Alto Networks PAN-OS

Hackers are targeting Palo Alto Networks PAN-OS firewalls and taking advantage of a recently patched vulnerability (CVE-2025-0108) that enables authentication bypass. The high-severity security flaw affects the PAN-OS management web interface and allows an unauthorized network attacker to overcome authentication and run certain PHP scripts, compromising confidentiality and integrity.

What’s Notable and Unique  

• These attacks leverage a PAN-OS path misunderstanding between Nginx and Apache, which makes it possible to bypass authentication. Attackers with network access to the management interface can modify accessible settings to weaken security defenses or obtain intelligence for future attacks.
  
  

• Security researchers demonstrated that the vulnerability could be used to access firewall configurations, harvest private system data, or even change specific PAN-OS settings. One security researcher stated that over 4,400 PAN-OS devices are currently exposing their management interface online.
  
  

• Palo Alto Networks issued a security alert listing the versions impacted by the vulnerability and urging administrators to update their firewalls to newer versions. Although PAN-OS 11.0 is also affected, Palo Alto Networks has no plans to issue any solutions for the product because it has reached end of life. Users are strongly encouraged to switch to a supported version.

Analyst Comments

Palo Alto Networks has confirmed reports of active exploitation aimed at a PAN-OS web management interface vulnerability, and the security upgrades released by Palo Alto should be applied right away by all users who have PAN-OS administration interfaces accessible via the internet. It is highly advised to all enterprises to assess their setups to reduce risk, as protecting management interfaces that are publicly accessible is a fundamental security best practice.

Sources 

• https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

• https://www.bleepingcomputer.com/news/security/hackers-exploit-authentication-bypass-in-palo-alto-networks-pan-os/

• https://security.paloaltonetworks.com/CVE-2025-0108

• https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108

AI Deep Dive Part 1: The History of AI

Artificial intelligence (AI) is a subset of computer science that focuses on creating systems that can replicate human intelligence and problem-solving capabilities. This is accomplished by feeding large amounts of data into machine learning models (MLMs) and processing the data. The result is technology that can simulate human learning, comprehension, problem-solving, decision-making, creativity, and autonomy. 

While often seen as new, cutting-edge technology, AI has been around far longer than most would think. While the concept of AI goes back to ancient philosophers theorizing on life and death, AI as we know it began in the early 1900s. The conception of what AI is began to be portrayed in science fiction by various authors and artists throughout the early 1900s prior to what is commonly known as “the birth of AI.”  

AI Through the Ages 

• The Birth of AI: 1950 – 1956
  
  Computer scientists such as Alan Turing, Arthur Samuel, and John McCarthy set the stage for the beginning of AI. Turing published “Computer Machinery and Intelligence,” which annotated a test of machine intelligence called the Imitation Game. Turing theorized that any machine able to fool a human judge would be classified as artificial intelligence.
  
  

• AI Maturation: 1957 – 1979
  
  The next twenty years showed little growth for AI at a technical level. While the concept of AI became popular in pop culture, funding-backed research was minimal during this period. However, that is not to say that strides towards what AI is today were not made. The first programming languages were created, paving the way for future development. The first AI chatbot was created, which adopted a new approach to AI that we now call deep learning, and the first examples of an autonomous vehicle were created.
  
  

• AI Boom: 1980 – 1987
  
  During the seven-year period known as the AI boom, government funding and associated research significantly increased. The first Association for the Advancement of Artificial Intelligence (AAAI) conference was held at Sanford, and the first driverless car demonstrated its ability to drive up to 55 mph on empty roads.
  
  

• AI Winter: 1987 – 1993
  
  Overall, funding and interest in AI decreased during this period, leading to fewer advancements in the technology than in years prior.
  
  

• AI agents: 1993 – 2011
  
  Despite the initial lack of investment in AI, the technology as a whole significantly increased its capabilities during this time period. Most notably, this is when AI began being integrated into people's daily lives with items such as the Roomba and the release of Apple's virtual assistant, Siri.
  
  

• Early General Artificial Intelligence: 2012 – Present
  
  This brings us up to the current state of AI. The last decade has shown impressive leaps in AI's ability to aid humans in day-to-day functions. This is also accompanied by enormous data collection from well-known companies that are able to train their AI models, which has led to the release of consumer-facing AI models such as ChatGPT, Copilot, and more. 

Conclusion 

AI as a whole is a fast-changing, fluid concept. Organizations regularly unveil new capabilities and breakthroughs. This was especially evident in the recent unveiling of Deepseek and the subsequent data privacy concerns. In a single day, this overturned the sector in one fell swoop. AI will likely remain a constantly changing field in the near term. 

What’s Next? 

Part 2 of the AI Deep Dive will examine the risks and benefits of organizations adopting AI into their business models.  

Sources 

• https://www.accuracy.com/artificial-intelligence-episode-2-the-imitation-game-and-business/#:~:text=Turing%20considered%20that%20any%20machine,machine%20or%20the%20human%20player. 

• https://www.tableau.com/data-insights/ai/history 

• https://www.ibm.com/think/topics/artificial-intelligence

XE Hackers Group Shifts from Credit Card Skimming to Veracore Zero-days 

XE Hackers, a Vietnam-based group previously known for credit card skimming, has recently been exploiting zero-day vulnerabilities in Veracore, a warehouse management software. Up until recently, XE Hackers made their money by selling stolen credit card data on carding forums and monetizing password theft. Recently, the group was detected exploiting two Veracore zero-day vulnerabilities on previously deployed persistent web shells. 

What's Notable and Unique: 

• Previously, security researchers did not believe that XE Hackers had the resources necessary to exploit zero-days. This shift signifies a trend of threat actors favoring persistent access and extortion over general fraud. 

  • This trend coincides with an increase in extortion events using web servers.  

• XE Hackers’ new tactics now pose a threat to supply chains in the manufacturing and distribution sectors.
  
  

• Vulnerabilities exploited by XE Hackers: 

  • CVE-2024-57968 (CVSS score: 9.9) - Allows remote authenticated users to upload files to unintended folders. This vulnerability was resolved in VeraCode version 2024.4.2.1.

  • CVE-2025-25181 (CVSS score: 5.8) - A SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands. No patch is currently available.

Analyst Comments  

This evolution exemplifies threat actors shifting from general cybercrime to more dangerous tactics that can cause increased operational impacts to organizations. Lesser-known threat actors can quickly prove they have the resources and capabilities to become a significant threat. As the number of skilled cybercrime groups grows, it is increasingly important to secure endpoints and maintain thorough event logs to detect suspicious behavior. Zero-day exploitations are difficult to prevent with patching, so detection is crucial. The persistent webshells are also a reminder to keep web servers secure and conduct consistent scans to detect any hidden TA access. 

FBI, Europol, and NCA Take Down 8Base Ransomware 

A concerted law enforcement effort has taken down the 8Base ransomware group's dark web data leak and negotiating websites. The U.S. Federal Bureau of Investigation (FBI), Europol, the U.K. National Crime Agency (NCA), and agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand were all involved in the takedown. According to Thai media sources, four European nationals, two men and two women, were taken into custody on Monday in four different locations during an operation known as Operation Phobos Aetor. 

What's Notable and Unique: 

• According to reports, authorities collected over 40 pieces of evidence, including digital wallets, laptops, and cell phones.
  
  

• 8Base is allegedly connected to the spread of the Phobos ransomware, which was used against 17 Swiss organizations between April 2023 and October 2024. Additionally, the group has been charged with making $16 million from attacks targeting more than 1,000 victims worldwide.
  
  

• Previous research by VMware revealed a Phobos sample with a ".8base" file extension on encrypted files, demonstrating how 8Base, a prominent double extortion actor in 2023, incorporates Phobos ransomware artifacts into its financially motivated cyberattacks.
  
  

• In a news release, Europol said that the four people detained are all Russian citizens accused of using a variant of the Phobos ransomware to extort victims throughout Europe and beyond.
  
  

• Additionally, the operation disrupted over 100 servers connected to the cybercrime network. 

Analyst Comments  

Throughout 2024, there was significant law enforcement pressure on ransomware organizations, and it is encouraging to see this trend continue in 2025. One of the most effective means of reducing ransomware attacks seems to be consistent law enforcement activity. 

Sources 

• https://www.theregister.com/2025/02/10/8base_police_arrrest/ 

• https://www.reuters.com/technology/cybersecurity/four-russians-arrested-phobos-ransomware-crackdown-europol-says-2025-02-11/  

• https://therecord.media/8base-ransomware-site-taken-down-4-arrested

Figure 1. Activity from the top 3 threat groups in January 2025 

Akira

Akira first emerged in April 2023 and quickly established itself as one of the most active ransomware groups. Through the end of 2024, the group remained one of the most prevalent ransomware threats and benefitted from law enforcement’s actions against LockBit and ALPHV. Akira encrypts and exfiltrates data to a remote server and extorts victims by threatening to post sensitive information on its DLS. The ransomware appends an “.akira” extension to encrypted files and uses a password-protected TOR site for communication and negotiations with its victims. 

Notable TTPs  

• Akira primarily relies on vulnerabilities in Cisco devices to achieve initial access before typically using AnyDesk to maintain persistence and launch various operations. They have also been observed using remote access trojans (RATs) like SystemBC.  
  
  

• Akira will delete Windows Shadow Volume Copies using Powershell and utilize the Windows Restart Manager API to exit processes and services that may prevent encryption.  

Analyst Notes   

With the fall of ALPHV/BlackCat and the decline of LockBit in 2024, Akira developed into a ransomware operation that is consistently one of the top variants observed each month. With the exception of April and July, Akira was among the top three most active threat groups throughout 2024. We expect this level of activity will continue in the near term, and organizations should remain vigilant in security measures and consider implementing robust backups to mitigate the impact of a potential ransomware attack. 

Fog 

Fog is a relatively new ransomware group that was first observed in late April 2024. Initially, Fog primarily targeted organizations in the education sector using compromised VPN credentials. Engagements with the ransomware group and victims suggest that the group is expanding its attacks to target other industries.  

Notable TTPs  

• Fog ransomware appends either a “.fog” or “.flocked” extension to the files it encrypts. Ransom notes are named "readme.txt" and contain consistent language, a Tor link for ransom negotiations, and a unique code for victims to access the chat. In June 2024, the group stood up a Tor data leak site they call the "Fog Blog.”
  
  

• Fog is using a variety of tools commonly used by other threat groups, including AnyDesk, Advanced Port Scanner, Netscan, Cobalt Strike, Mimikatz, Splashtop, MegaSync, and FileZilla.  

Analyst Notes   

Fog has been among the most active threat groups since the second half of 2024. Although the group has previously primarily targeted schools and educational organizations, it has since expanded its focus to other industries. Fog has also recently been exploiting a critical SonicWall VPN vulnerability since October 2024, contributing to its consistent activity levels.

RansomHub

RansomHub is a RaaS operation that emerged in January 2024 and is believed to be a rebrand of the Cyclops and Knight ransomware groups. In February, the group was observed recruiting affiliates on the Russian cybercrime forum RAMP. Affiliates reportedly receive 90% of the ransom, with the remaining 10% going to the group’s operators. RansomHub explicitly prohibits attacks on non-profit organizations and specific countries, including the Commonwealth of Independent States, Cuba, North Korea, and China. The threat actors behind RansomHub are located in various global locations and are united by a common goal of financial gain. 

Notable TTPs  

• RansomHub reportedly uses the Cobalt strike platform for lateral movement, the Rcolne tool for data exfiltration, and a cloud file storage service called Wasabi.    
  
  

• RansomHub operates a DLS and threatens to publish sensitive victim data if a payment is not made. The group’s administrators are also known to communicate with media sources.  

Analyst Notes 

Engagements attributed to RansomHub increased rapidly since SJA Labs first observed the group in May 2024, and it quickly established itself as one of the top threat actor groups since July 2024. The group has targeted a wide range of high-profile victims in its short tenure thus far, and the threat actors are clearly not afraid to monetize their efforts in any way possible.

Observed Malware in December 2024  

Jupyter Infostealer: The Jupyter Infostealer, also known as SolarMarker, is a .NET-based malware that has been active since late 2020. It functions as both an information stealer and a backdoor, primarily targeting web browsers, including Chromium, Mozilla Firefox, and Google Chrome. It steals cookies, login credentials, and security certificates from infected systems. Earlier versions had minimal obfuscation and clearly labeled functions, but newer variants are more advanced, employing heavy obfuscation and strong encryption methods like AES and RSA to communicate with command-and-control (C2) servers. More recent versions also use private key signatures and modify PowerShell scripts to appear as legitimate software. These tactics help Jupyter evade security measures by making it seem like a trusted application, improving its chances of avoiding detection. 

ASPXSpy: ASPXSpy is a web shell malware designed to provide attackers with remote control over compromised web servers. Written in ASP.NET, it allows threat actors to execute commands, upload or download files, modify system settings, and conduct further attacks within a network. Because ASPXSpy is lightweight and easily obfuscated, it is often used for persistent access in web-based intrusions. 

Babadeda: Babadeda is a crypter, a tool cybercriminals use to encrypt and obfuscate malicious code, making it harder for security software to detect. Active since at least 2021, Babadeda has been employed to distribute various types of malware, including information stealers, RATs, and ransomware. 

SocGholish: SocGholish is a malware family that disguises itself as software updates to trick users into executing a malicious JavaScript payload, thereby granting the malware control over the compromised system. SocGholish is frequently used by threat actors as an initial access broker, providing entry points for other attackers to exploit. It has been associated with the deployment of secondary payloads like Cobalt Strike, a tool often used for post-exploitation activities, including lateral movement and privilege escalation within a compromised network.  In December 2024, a campaign targeted Kaiser Permanente employees via fraudulent Google Search Ads. These ads impersonated the company's HR portal, leading users to compromised websites that prompted fake browser update notifications. Executing these updates resulted in SocGholish malware infections.

CobaltStrike: CobaltStrike is a legitimate software suite designed for red team operations to conduct security assessments. However, it remains popular among cybercriminals, including ransomware gangs, for its versatility in command-and-control (C2) communications, reconnaissance, and malware delivery. Organizations should monitor for indicators of Cobalt Strike activity, including unusual C2 traffic and unauthorized PowerShell execution. Implementing endpoint detection and regular threat hunting can help mitigate the risk.

Figure 1. Countries where devices were infected by the trojanized XWorm RAT (source: CloudSEK) 

Analyst Comments 

While the idea of targeting entry-level hackers with a trojanized builder may seem like poetic justice, the data set recovered by security researchers revealed the alarming number of individuals worldwide interested in engaging in malicious cyber activity. The ever-growing  

accessibility of information and emerging technologies like AI continue to lower the barrier of entry into cybercrime. Although the focus is typically on threats from the larger ransomware and extortion groups, less-skilled cybercriminals can still cause substantial financial damage and business disruption to the organizations they target. Additionally, the geographic diversity of the infected devices reflects the global threat of cybercrime.   

Sources 

• https://www.cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations

Fake Reddit and WeTransfer Sites Push Lumma Stealer Malware

Threat actors are spreading approximately 1,000 websites that imitate Reddit and the file-sharing website WeTransfer, luring unsuspecting users to download the Lumma information-stealing malware. The malicious sites display a phony Reddit discussion thread on a particular subject. To give an air of credibility, the thread originator requests assistance downloading a specific tool, another user offers to assist by uploading it to WeTransfer and providing the URL, and a third user thanks them for sharing the resource. 

What's Notable and Unique: 

• Unsuspecting victims who click on the link visit fake WeTransfer websites that imitate the user interface of the well-known file-sharing service. The "Download" button leads to the Lumma Stealer payload.

• To feign authenticity, every website featured in this campaign includes a string of the brand they are impersonating, followed by random letters and numbers. The two top-level domains are ".org" and ".net."

• Sekoia researchers discovered these phony websites and offered a comprehensive list of domains involved in the scam. There are 407 pages pretending to be the official WeTransfer service offering a download and 529 pages mimicking Reddit.  

Analyst Comments  

Lumma Stealer is a powerful tool that uses sophisticated data stealing and evasion techniques. Hackers purchase the malware, which they disseminate via various channels, such as malvertising, deepfake-generating websites, and GitHub comments. This information-stealing malware can gather session tokens and passwords saved in web browsers and utilize them to take over accounts without the user's credentials. In this type of attack, threat actors often steal sensitive login information and attempt to sell it on dark web forums. 

Sources 

• https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/  

• https://x.com/crep1x/status/1881404758843699402?mx=2

Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations

In recent years, VMware ESXi appliances have become high-value targets for ransomware groups due to their critical role in virtualized infrastructures. These appliances are increasingly exploited for exfiltrating and encrypting virtual machine images, leading to severe operational disruptions and reputational damage.  

Beyond this, threat actors are leveraging ESXi appliances earlier in the attack chain, using them as a pivot point to tunnel traffic and gain further access to corporate networks. This tactic involves exploiting native tools, like Secure Shell (SSH), to establish stealthy communication channels (e.g., SOCKS tunnels) between the compromised infrastructure and command-and-control (C2) servers. The limited monitoring of ESXi hosts often allows these attacks to proceed undetected, exacerbating the risk and potential impact on affected organizations. 

What’s Notable and Unique  

• In many cases, attackers compromise ESXi appliances by either using administrative credentials or exploiting known vulnerabilities to bypass authentication. They then set up tunneling via native SSH functionality or other common tools, creating a semi-persistent backdoor within the network due to the resilience and rare shutdowns of ESXi appliances.

• In one of the reported incidents, the Abyss Locker ransomware group exploited ESXi appliances and Network Attached Storage (NAS) devices to tunnel traffic within networks, using its Linux ELF encryptor and the "esxcli" VMware ESXi tool to terminate virtual machines and encrypt their virtual disks (.vmdk), metadata (.vmsd), and snapshots (.vmsn). It also encrypts other files on the device, appending the ".crypt" extension and creating ransom notes for each file.

• SJA Labs' Threat Intelligence team identified that the Play and Fox ransomware groups have targeted ESXi hosts, with Play ransomware specifically adding ransom notes as wallpapers to the affected login portals. 

Analyst Comments

Given the increasing sophistication of ransomware attacks targeting ESXi appliances, organizations must prioritize proactive monitoring and log analysis to detect early signs of intrusion. The four key log files (/var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log) offer valuable insights into SSH tunneling and potential ransomware activity, including traces of command execution, administrative actions, login attempts, and firewall rule modifications.  

To improve detection and response capabilities, it is highly recommended that organizations centralize ESXi logs through syslog forwarding and integrate them into a Security Information and Event Management (SIEM) system, enabling more effective identification of anomalies and reducing the risk of undetected attacks. 

Sources

• https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/ 

• https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ssh-tunnels-for-stealthy-vmware-esxi-access/ 

• https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/ 

• https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/

Cybercriminals are Phishing Companies That Use Google Ads with…Google Ads

A new campaign is targeting unsuspecting Google Ads users by phishing for their credentials through Google Ads. Individuals are tricked into entering credentials into what appears to be their Google Ads login page, but is actually a site that mimics the login page being pushed through Google Ads. This unique use of malvertising to gain compromised credentials fuels the fire for broader malvertising campaigns and cybercriminal operations. 

What Happens?  

Once an unsuspecting victim clicks on the fraudulent Google Ads page, they are prompted to enter their Google account information. In addition to account credentials, the phishing kit collects unique information, including cookies and cached browser credentials. Once this is complete, the threat actor attempts to log into the user’s Google Ads account and lock the account holder out. An email indicating a mysterious login attempt is the sole means of identifying this nefarious activity.

What happens next is where things get interesting. Once the threat actor has control of the account, they have two options: 

• Repurpose the account to conduct malvertising campaigns leading to phishing kits, remote access trojans (RATs), information stealers, and other tools to perpetuate cybercriminal activity.

• Expand their reach of Google Ads by using the compromised account to collect additional Google Ads accounts with the same technique, leading to an ever-growing reserve of compromised accounts.

Analyst Comments

The ongoing campaign targeting Google Ads credentials reflects the continued increase in malvertising observed by SJA Labs. This also highlights the need for end users’ heightened scrutiny surrounding communications as threat actor phishing tactics evolve and mature. SJA Labs advises caution in day-to-day operations and encourages end users to be cognizant of the various methods threat actors utilize to gain initial access into victim environments.  

Sources 

• https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads

Rise in Phishing Kits Targeting Microsoft Office 365 Accounts 

Security researchers recently discovered a new phishing kit targeting Microsoft 365 accounts. The kit, called Sneaky 2FA, functions as an Adversary-in-the-Middle (AiTM) kit that can bypass two-factor authentication. Sneaky 2FA has been sold since October 2024 by a cybercrime service called “Sneaky Log” as a phishing-as-a-service (PhaaS) product to steal Microsoft Office 365 credentials. Researchers first observed Sneaky 2FA in December 2024, and it has since been observed in almost 100 domains. 

What’s Notable and Unique  

• The phishing pages are typically hosted on compromised infrastructure, such as WordPress sites or other domains controlled by the threat actor. The fake authentication pages seem more legitimate by employing tactics like automatically populating the user’s email address.

• Sneaky 2FA is the latest arrival in a trend of PhaaS platforms. In 2024, another PhaaS kit, Tycoon 2FA, was sold and used to bypass multi-factor authentication (MFA). MFA is a common tool used to secure user credentials, and cybercriminal activity related to bypassing this authentication method is rising quickly. SJA Labs sees Tycoon 2FA regularly in business email compromise (BEC) response engagements. It is used to steal session cookies, rather than just login credentials.  

Analyst Comments

Increased availability of phishing kits continues to demonstrate the expanding ecosystem of tools enabling cybercrime and the evolution and maturation of phishing tactics employed by threat actors. In 2024, SJA Labs observed phishing as the method of intrusion in 40% of business email compromise (BEC) engagements throughout the year. Phishing kits like Sneaky 2FA and Tycoon 2FA will likely continue to evolve as long as threat actors are able to successfully utilize them to obtain victim credentials. Verifying the legitimacy of links and websites prior to entering credentials remains a critical practice for end users. 

Sources 

• https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/  

• https://www.securitymagazine.com/articles/101308-two-factor-authentication-phishing-kit-targets-microsoft-365-accounts  

• https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit

Funksec: New Threat Group Leverages AI to Build Malware

Funksec is a new ransomware-as-a-service (RaaS) that emerged in December 2024. Over the past month, the group has posted more victims to its data leak site (DLS) than any other ransomware group, surpassing more established groups like Akira and RansomHub. However, cybersecurity researchers recently discovered that this prolific activity from Funksec may actually be the work of inexperienced threat actors leveraging artificial intelligence (AI) to assist them in building malware.  

What’s Notable and Unique  

Since emerging in December, Funksec has aggressively self-promoted its ransomware activities and capabilities, posting over 85 victims on its DLS and even going as far as providing an interview to boast about its capabilities. In addition to the victims, the DLS contains information about purchasing the RaaS and various tools, including a Distributed Denial-of-Service (DDoS) tool and a remote desktop management tool written in C++. Despite the group's seemingly rapid growth, security researchers made several discoveries about Funksec's malware and operations, suggesting the group isn't as sophisticated or prolific as it claims to be. 

• Analysis of the group’s ransomware indicates that the malware was created by an inexperienced developer and contains redundancy and code duplication not typically observed in ransomware, as well as multiple indications that the developer resides in Algeria. Additionally, the group appears to have used AI to assist in the development of its tools and malware.

• Despite the high volume of victims posted on the DLS since December, some of the leaks appear to be data stolen from previous hacktivist-related activity, suggesting that Funksec’s actual activity level is lower than what the DLS claims.

• Funksec reportedly requests ransom amounts as low as $10,000, which is uncommonly low compared to other active RaaS groups.   

Analyst Comments

While it is too early to assess the threat this new group will pose in 2025, Funksec is not the first to leverage its DLS to give an inflated appearance of their activity levels. What's more notable is the use of AI in creating the tools and malware used by the new ransomware group. AI is more commonly observed in creating phishing and social engineering campaigns, but it was only a matter of time before novice cybercriminals leveraged it to build the tools and malware for conducting ransomware attacks. 

Sources 

• https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ 

• https://osint10x.com/threat-actor-interview-spotlighting-on-funksec-ransomware-group/  

• https://www.ransomlook.io/stats

Infostealer Disguised as PoC Code Exploiting Recent LDAP Vulnerability

Threat actors are distributing information-stealing malware disguised as proof-of-concept (PoC) exploit code for a recently discovered Windows Lightweight Directory Access Protocol (LDAP) vulnerability. The vulnerability, identified as CVE-2024-49113 and named LDAPNightmare, can lead to denial-of-service (DoS) attacks. It was patched in a security update issued on December 10, 2024. 

What’s Notable and Unique  

• This fake PoC exploit is designed to deceive security researchers into downloading and executing information-stealing malware. The malicious repository appears to be a fork of the original, where the Python files have been replaced with an executable, poc.exe, packed using UPX. When executed, the file drops and runs a PowerShell script in the %Temp% folder, creating a Scheduled Job that triggers an encoded script.

• Once decoded, the script retrieves another script from Pastebin to collect the victim's public IP address and upload it via FTP. It then gathers and compresses system information, including computer details, process lists, directory lists, network IPs, network adapters, and installed updates, before uploading the data to an external FTP server using hardcoded credentials. 

Analyst Comments

Our security researchers remain vigilant in continuously monitoring the tactics, techniques, and procedures (TTPs) associated with information-stealer malware. By leveraging cutting-edge detection capabilities and analyzing emerging attack methods, we can swiftly identify and block threats aimed at exploiting vulnerabilities, such as the LDAP vulnerability that could lead to denial-of-service (DoS) attacks. Our ongoing commitment to proactive security research and incident response ensures that potential threats—whether designed to steal sensitive information or disrupt services—are effectively neutralized before they can cause significant damage. This comprehensive approach helps safeguard both our infrastructure and the critical data of our clients from evolving cyber threats

Sources 

• https://www.securityweek.com/infostealer-masquerades-as-poc-code-targeting-recent-ldap-vulnerability/ 

• https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html 

AWS Falls Victim to Ransomware  

An emerging ransomware group dubbed Codefinger has been observed encrypting objects within the Amazon Web Services (AWS) Simple Storage Service (S3). While exposed buckets are a common target of extortionists looking for a payday, this is the first known instance of AWS cloud infrastructure being the target of encryption. The threat actor is able to accomplish data encryption in the S3 buckets, which are cloud storage containers for storing various types of data, by utilizing a native encryption function built into the AWS S3 services called SSE-C.  

What’s Notable and Unique  

• SSE-C allows AWS users to encrypt and secure their data by creating their own encryption key. AWS does not store the key, which is what ultimately allowed attackers to abuse this encryption capability. The threat actors associated with Codefinger gained access to the AWS services using compromised credentials before encrypting the victim data with the SSE-C functionality, forcing the victims to pay for the data or lose access to the encrypted data.

• In previous SJA Labs engagements with data exfiltration through S3 buckets, the ransom demands have always been nominal. This, coupled with the fact that victims are less likely to pay cybercriminals demands in instances where there is no data encryption, kept the overall impact on the threat landscape low. However, with the newly identified encryption method showcased by Codefinger, it is possible that both the ransom demands and the likelihood of ransom payments will increase.

• It should be noted that native encryption capabilities are available in a variety of software and operating systems, with the most commonly abused being the Windows encryption tool Bitlocker. 

Analyst Comments  

The encryption of data held within the cloud is uniquely interesting because it opens the door to a whole new playing field for cybercriminals, with many organizations potentially operating under a false sense of security. It is still too early to tell with a high degree of confidence whether this encryption method will be adopted by other threat groups, or if Codefinger will become a prolific cybercrime group. However, should this tactic be heavily adopted, it could significantly increase the threat landscape available to cybercriminals. 

Sources 

• https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c