@www.recordedfuture.com
//
References:
The Hacker News
, www.recordedfuture.com
A new malware loader called MintsLoader is being used to distribute a remote access trojan (RAT) known as GhostWeaver. According to a report by Recorded Future's Insikt Group, MintsLoader employs a multi-stage infection chain that involves obfuscated JavaScript and PowerShell scripts. This loader is designed to evade sandbox environments and virtual machines, making it more difficult to detect and analyze. It also utilizes a domain generation algorithm (DGA) to create daily-changing command-and-control (C2) domains, adding another layer of complexity to the attack.
MintsLoader has been observed in phishing and drive-by download campaigns since early 2023. It is known to deliver various follow-on payloads, including StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client. Threat actors are using MintsLoader in e-crime services like SocGholish and LandUpdate808, targeting the industrial, legal, and energy sectors through phishing emails and fake browser update prompts. Recent attacks have also incorporated the ClickFix social engineering tactic to trick users into executing malicious code. GhostWeaver, the RAT distributed by MintsLoader, is designed to maintain persistent communication with its C2 server, which is secured through TLS encryption using an obfuscated, self-signed X.509 certificate. GhostWeaver can also deploy MintsLoader as an additional payload. The loader's primary strengths lie in its evasion techniques and DGA implementation, which allow it to bypass security measures and complicate detection efforts. Recommended read:
References :
@securityonline.info
//
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT. Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms. Recommended read:
References :
@techradar.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.
Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls. Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging. GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection. Recommended read:
References :
Oleg (noreply@blogger.com)@Know Your Adversary
//
The RedCurl APT, also known as Earth Kapre or Red Wolf, has been observed abusing PowerShell for data collection and exfiltration. According to a report by eSentire, this sophisticated cyber espionage group is actively targeting private sector organizations, with a particular focus on corporate espionage. The attackers use a multi-stage intrusion to bypass conventional defenses, starting with phishing ploys and breaking down the intrusion into stages.
RedCurl leverages PowerShell in several key steps of their attacks. First, they use 7-Zip to archive collected data, employing specific command-line parameters like "x", "-aoa", "-p", and "-o" during the archival process. Then, PowerShell is used to exfiltrate the archived data via MSXML2.ServerXMLHTTP and ADODB.Stream, employing commands such as "LoadFromFile", "PUT", and "Send". eSentire's Threat Response Unit (TRU) advises tracking these specific PowerShell executions and command-line arguments to detect and mitigate RedCurl's activities. Recommended read:
References :
@gbhackers.com
//
References:
The Hacker News
, MSSP feed for Latest
,
North Korean state-backed threat group Kimsuky, also known as APT43, is actively targeting South Korean entities through a sophisticated cyber campaign, dubbed DEEP#DRIVE. This ongoing operation, potentially active since September, involves attacks leveraging PowerShell and Dropbox against South Korean government, business, and cryptocurrency firms. The attackers initiate intrusions with phishing emails containing a ZIP archive with an LNK file, disguised as legitimate documents, to trick recipients into triggering the infection process.
The attack chain relies heavily on PowerShell scripts for various stages, including payload delivery, reconnaissance, and execution, as well as using Dropbox for payload distribution and data exfiltration. Upon execution, the LNK file initiates a PowerShell script that retrieves a lure document hosted on Dropbox. It also retrieves another PowerShell script for system data exfiltration and installs a third script to execute an unknown .NET assembly. This cloud-based infrastructure enables stealthy payload hosting and retrieval, complicating detection efforts. Recommended read:
References :
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft. Recommended read:
References :
|