CastleBot Malware-as-a-Service Deploys Ransomware Attack Related Payloads

Pulse ID: 6896e2b4a89fd1e922a224dd
Pulse Link: https://otx.alienvault.com/pulse/6896e2b4a89fd1e922a224dd
Pulse Author: cryptocti
Created: 2025-08-09 05:55:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RansomWare #bot #cryptocti

Phishing Attack: Deploying Malware on Indian Defense BOSS Linux

APT36, a Pakistan-based threat actor, has launched a sophisticated cyber-espionage campaign targeting the Indian defense sector. The group has adapted its tactics to focus on Linux-based environments, particularly BOSS Linux, used by Indian government agencies. The attack involves phishing emails with a ZIP file containing a malicious .desktop file. When executed, it downloads a legitimate PowerPoint file as a decoy while simultaneously deploying a malicious ELF binary. This multi-stage approach aims to bypass user suspicion and evade traditional security measures. The campaign signifies an advancement in APT36's capabilities and poses an increased risk to critical government and defense infrastructure. Organizations using Linux-based systems are advised to implement robust cybersecurity controls and threat detection mechanisms to mitigate potential risks.

Pulse ID: 68962f0efb122a6feb479f83
Pulse Link: https://otx.alienvault.com/pulse/68962f0efb122a6feb479f83
Pulse Author: AlienVault
Created: 2025-08-08 17:08:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Email #Espionage #Government #ICS #India #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Pakistan #Phishing #SMS #ZIP #bot #cyberespionage #AlienVault

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat group has expanded its capabilities beyond data exfiltration, now enabling full system compromise. The malware's distribution vectors include websites offering cracked software and spear phishing campaigns targeting high-value individuals. The infection process involves a trojanized DMG file, bash scripts, and AppleScript for execution and persistence. The backdoor communicates with command-and-control servers, fetching and executing tasks on compromised systems. This evolution represents a significant escalation in both capability and intent, posing a higher risk to macOS users worldwide.

Pulse ID: 68962f0e7822ab0d6a0e804c
Pulse Link: https://otx.alienvault.com/pulse/68962f0e7822ab0d6a0e804c
Pulse Author: AlienVault
Created: 2025-08-08 17:08:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Atomic #BackDoor #CyberSecurity #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #Russia #SpearPhishing #Trojan #bot #AlienVault

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple persistence mechanisms. The attack was notable for its rapid exploitation, use of a customized XMRig payload, and stealthy crypto-mining techniques. JDWP, designed for debugging Java applications, becomes a high-risk entry point when exposed to the Internet without proper authentication. The attackers used a structured sequence to achieve remote code execution, likely using a variant of jdwp-shellifier. They deployed a dropper script that installed an XMRig miner and set up various persistence mechanisms including boot scripts, systemd services, cron jobs, and shell configuration files.

Pulse ID: 68962f0f91f8829022afff4a
Pulse Link: https://otx.alienvault.com/pulse/68962f0f91f8829022afff4a
Pulse Author: AlienVault
Created: 2025-08-08 17:08:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoMining #CyberSecurity #HoneyPot #InfoSec #Java #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #SMS #TeamCity #XMRigMiner #bot #AlienVault

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats

Secret Blizzard, a Russian state actor, has been conducting a cyberespionage campaign targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy ApolloShadow malware. This campaign, ongoing since 2024, poses a high risk to diplomatic entities relying on local internet providers in Russia. The actor leverages an AiTM position at the ISP level to redirect target devices through a captive portal, installing root certificates under the guise of Kaspersky Anti-Virus. ApolloShadow has the capability to maintain persistence on diplomatic devices for intelligence collection. The malware alters host settings, installs certificates, and creates an administrative user for persistent access. Microsoft recommends routing all traffic through encrypted tunnels or using satellite-based providers to mitigate this threat.

Pulse ID: 6896279828d605067175b102
Pulse Link: https://otx.alienvault.com/pulse/6896279828d605067175b102
Pulse Author: AlienVault
Created: 2025-08-08 16:36:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #CyberSecurity #Cyberespionage #Espionage #InfoSec #Kaspersky #Malware #Microsoft #OTX #OpenThreatExchange #RAT #Russia #bot #AlienVault

650 Attack Tools, One Coordinated Campaign

The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, and creating scam sites masquerading as crypto products. The campaign's infrastructure is consolidated to a single IP address, suggesting a centralized backend. The group has expanded from its earlier Foxy Wallet campaign and shows signs of potential growth beyond Firefox. The attackers are leveraging AI to scale their operations, making it challenging for traditional security measures to keep up. The campaign has reportedly stolen over $1 million from victims.

Pulse ID: 68962f0b3e7844baa4f7565b
Pulse Link: https://otx.alienvault.com/pulse/68962f0b3e7844baa4f7565b
Pulse Author: AlienVault
Created: 2025-08-08 17:08:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #FireFox #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

GenAI Used to Impersonate Brazil's Government Websites

Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to create phishing templates that closely mimic official Brazilian government websites, such as the State Department of Traffic and Ministry of Education. These malicious replicas are boosted in search results using SEO poisoning techniques. The phishing pages collect sensitive personal data, including CPF numbers and addresses, validating the information through APIs to build credibility. The ultimate goal is to trick victims into making payments via Pix, Brazil's instant payment system. Technical analysis reveals AI-generated source code signatures, including TailwindCSS styling, explanatory comments, and non-functional elements. The campaign demonstrates the evolving sophistication of phishing attacks empowered by generative AI tools.

Pulse ID: 6896279970e62c2bef3c1a32
Pulse Link: https://otx.alienvault.com/pulse/6896279970e62c2bef3c1a32
Pulse Author: AlienVault
Created: 2025-08-08 16:36:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Education #Government #InfoSec #Mimic #NATO #OTX #OpenThreatExchange #Phishing #RAT #RCE #SEOPoisoning #bot #AlienVault

Statistics Report on Malware Targeting Windows Web Servers in Q2 2025

AhnLab Security Intelligence Center analyzed attacks on Windows web servers during Q2 2025 using their Smart Defense infrastructure. The study focused on poorly managed servers, categorizing attack types and malware strains. It revealed that multiple threat actors often target vulnerable servers simultaneously, exploiting unpatched systems or misconfigurations. Attackers typically use file upload vulnerabilities to deploy web shells and execute commands, but may also exploit framework or Web Application Server weaknesses. The analysis provides detailed statistics on the number of affected systems and the frequency of attacks, offering insights into the current threat landscape for Windows-based web servers.

Pulse ID: 68962f0cc24e24c3ada6d33b
Pulse Link: https://otx.alienvault.com/pulse/68962f0cc24e24c3ada6d33b
Pulse Author: AlienVault
Created: 2025-08-08 17:08:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AhnLab #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Windows #bot #AlienVault

Statistics Report on Malware Targeting Windows Database Servers in Q2 2025

The analysis team has categorized attacks on MS-SQL and MySQL servers installed on Windows systems during Q2 2025. While the number of targeted systems remains stable, attacks on MS-SQL servers have been decreasing. MySQL servers saw a significant spike in attacks in June 2025. The report provides detailed statistics on attack trends, including graphs illustrating the attack status for both server types. It also includes a list of MD5 hashes, URLs, FQDNs, and IP addresses associated with the malicious activities. The analysis covers various types of malware and tools used in these attacks, ranging from backdoors and miners to ransomware and remote access trojans.

Pulse ID: 68962f0d3f4895c81350d372
Pulse Link: https://otx.alienvault.com/pulse/68962f0d3f4895c81350d372
Pulse Author: AlienVault
Created: 2025-08-08 17:08:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DNS #ICS #InfoSec #MSSQL #Malware #MySQL #OTX #OpenThreatExchange #RAT #RansomWare #RemoteAccessTrojan #SQL #Trojan #Windows #bot #AlienVault

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerability to execute PowerShell commands, installing NetCat for remote access and XMRig for cryptocurrency mining. The attack process involves downloading malicious scripts, terminating competing miners, and establishing persistence through Cron jobs. The threat actors use pool.supportxmr.com for mining Monero coins and can potentially perform additional malicious activities using the installed NetCat.

Pulse ID: 68962f0d60d5de6c3ecb055f
Pulse Link: https://otx.alienvault.com/pulse/68962f0d60d5de6c3ecb055f
Pulse Author: AlienVault
Created: 2025-08-08 17:08:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CoinMiner #CyberSecurity #InfoSec #Korea #Linux #Malware #OTX #OpenThreatExchange #PowerShell #RemoteCodeExecution #SouthKorea #Vulnerability #Windows #bot #cryptocurrency #AlienVault

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .NET DLL, which in turn downloads and injects the DarkCloud payload into a legitimate Windows process. The DarkCloud variant, written in Visual Basic 6, employs anti-analysis techniques and collects sensitive information from various sources, including web browsers, email clients, and FTP clients. The stolen data is exfiltrated via SMTP. The campaign demonstrates advanced evasion techniques and targets a wide range of user credentials and personal information.

Pulse ID: 689603fb45b4df2572916578
Pulse Link: https://otx.alienvault.com/pulse/689603fb45b4df2572916578
Pulse Author: AlienVault
Created: 2025-08-08 14:04:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Email #InfoSec #Java #JavaScript #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #Windows #bot #AlienVault

Efimer Trojan delivered via email and hacked WordPress websites

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-control server via the Tor network. It has additional capabilities to brute-force WordPress sites and harvest email addresses for further distribution. The malware primarily targeted users in Brazil, India, Spain, Russia, Italy, and Germany between October 2024 and July 2025, affecting over 5,000 Kaspersky users.

Pulse ID: 689603fc3a16a87400a387ee
Pulse Link: https://otx.alienvault.com/pulse/689603fc3a16a87400a387ee
Pulse Author: AlienVault
Created: 2025-08-08 14:04:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #Clipboard #CyberSecurity #Email #Germany #India #InfoSec #Italy #Kaspersky #Malware #OTX #OpenThreatExchange #RCE #RDP #Russia #Spain #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault

The Homograph Illusion: Not Everything Is As It Seems

Homograph attacks involve using non-Latin characters that visually resemble Latin characters to create words that appear legitimate but are actually different. This technique allows attackers to evade detection and analysis, crafting malicious emails that can lead to credential theft or malware infection. The article examines three real-world cases of homograph attacks used in phishing attempts, including impersonation of well-known brands and document-sharing platforms. These attacks exploit visual similarities to deceive users, bypass security filters, and impersonate trusted entities. The rise of AI-driven phishing makes this vector even more dangerous. To protect against homograph attacks, it's crucial to carefully examine sender addresses, be wary of unknown senders, and avoid engaging with suspicious attachments or URLs.

Pulse ID: 689627920ecf51e98bcdf15f
Pulse Link: https://otx.alienvault.com/pulse/689627920ecf51e98bcdf15f
Pulse Author: AlienVault
Created: 2025-08-08 16:36:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #Rust #Word #bot #AlienVault

AI-Powered Phishing Scams and Efimer Trojan has Affected Over 5000 Victims

Cybercriminals are using generative AI tools like DeepSite AI and BlackBox
AI to create highly convincing phishing websites mimicking government
agencies.

Pulse ID: 6896539bec8df85f039c93df
Pulse Link: https://otx.alienvault.com/pulse/6896539bec8df85f039c93df
Pulse Author: cryptocti
Created: 2025-08-08 19:44:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #InfoSec #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Trojan #bot #cryptocti

Threat Actors Weaponize Gopackages to Deliver Obfuscated Remote Payloads

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting the Go programming language ecosystem through eleven malicious packages and ten of which are still active on the Go Module registry.

Pulse ID: 6896007dfe16449043f911e4
Pulse Link: https://otx.alienvault.com/pulse/6896007dfe16449043f911e4
Pulse Author: cryptocti
Created: 2025-08-08 13:49:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti

Infrastructure of Interest: Medium Confidence Detection

These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations.

Pulse ID: 6894583edc4b67d5c7c5cb34
Pulse Link: https://otx.alienvault.com/pulse/6894583edc4b67d5c7c5cb34
Pulse Author: AlienVault
Created: 2025-08-07 07:39:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #ICS #InfoSec #OTX #OpenThreatExchange #RCE #bot #AlienVault

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.

Pulse ID: 6895aceaf8d4d7295fce7c8c
Pulse Link: https://otx.alienvault.com/pulse/6895aceaf8d4d7295fce7c8c
Pulse Author: AlienVault
Created: 2025-08-08 07:53:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #FakeBrowser #FakeUpdates #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Parrot #RAT #RansomWare #SMS #SocGholish #bot #AlienVault

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.

Pulse ID: 6895aeaa72538302a5d75512
Pulse Link: https://otx.alienvault.com/pulse/6895aeaa72538302a5d75512
Pulse Author: AlienVault
Created: 2025-08-08 08:00:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Email #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Unit42 #bot #AlienVault

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity.

Pulse ID: 6895b04096ab14debd24e809
Pulse Link: https://otx.alienvault.com/pulse/6895b04096ab14debd24e809
Pulse Author: AlienVault
Created: 2025-08-08 08:07:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Akira #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #RansomWare #VPN #Vulnerability #ZeroDay #bot #AlienVault

Infrastructure of Interest: High Confidence InfoStealer

These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft.

Pulse ID: 68944f2e9f9c9eb0ffe45b5c
Pulse Link: https://otx.alienvault.com/pulse/68944f2e9f9c9eb0ffe45b5c
Pulse Author: AlienVault
Created: 2025-08-07 07:01:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cookies #CyberSecurity #DataTheft #Endpoint #ICS #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #RCE #bot #AlienVault