Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 64 threat intelligence reports and compiled a concise summary of each, along with pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Venom Spider Uses Server-Side Polymorphism to Weave a Web Around VictimsLink: https://arcticwolf.com/resources/blog-uk/venom-spider-uses-server-side-polymorphism-to-weave-web-around-victims/Summary: Arctic Wolf Labs has uncovered a targeted campaign by the financially motivated group Venom Spider, which specifically targets human resources departments through spear-phishing emails containing fake resumes. These emails lead to a malicious website where victims download a ZIP file that includes a Windows shortcut, triggering the More_eggs backdoor—a sophisticated malware capable of credential theft and data exfiltration. This malware employs advanced obfuscation techniques and server polymorphism, allowing it to generate unique payloads and effectively evade detection through time delays and the use of legitimate system commands. Communication with a command-and-control server facilitates further malicious activities and the execution of remote commands on the compromised systems.Threats: venom_spider_group polymorphism_technique more_eggs spear-phishing_technique magecart_group lolbin_technique terraloaderIndicators of compromise:-------------------------ip: 208[.]109[.]231[.]95domain: municipiodechepo[.]org, ryanberardi[.]com, doefstf[.]ryanberardi[.]com, dtde[.]ryanberardi[.]com, tool[.]municipiodechepo[.]orgurl: http://doefstf[.]ryanberardi[.]com/ikskck, https://tool[.]municipiodechepo[.]org/id/243149, http://doefstf[.]ryanberardi[.]com, http://dtde[.]ryanberardi[.]com, http://dtde[.]ryanberardi[.]com/ikskck, https://beta[.]w3[.]org[.]kz/release/info, https://host[.]moresecurity[.]kz/host/info, https://report[.]monicabellucci[.]kz/295693495/info, https://cast[.]voxcdn[.]kz/yui/yui-min[.]js, https://contactlistsagregator[.]com/j2378745678674623/ajax[.]php, https://onlinemail[.]kz/version44/info, https://stats[.]wp[.]org[.]kz/license[.]txt, https://api[.]incapdns[.]kz/v1hash: - md5=ec103191c61e4c5e55282f4ffb188156, sha256=f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016, - md5=c16aa3276e4bcbbe212d5182de12c2b7, sha256=bd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f, - md5=ebb5fb96bf2d8da2d9f0f6577766b9f1, sha256=2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c, - sha256=0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83, md5=2da2f53ffd9969aa8004d0e1060d2ed1, - sha256=f873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b, md5=17158538b95777541d90754744f41f58, - sha256=184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb, md5=46f142198eeeadc30c0b4ddfbf0b3ffd, - md5=b1e8602e283bbbdf52df642dd460a2a2, sha256=ccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700demail:Title: Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat ActorLink: https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/Summary: The exploitation of CVE-2025-31324, a vulnerability in SAP NetWeaver Visual Composer, has been linked to Chinese threat actors who utilize it to execute remote code by uploading malicious web shells through the /developmentserver/metadatauploader endpoint. These web shells facilitate manipulation of SAP applications, particularly in critical manufacturing sectors, leading to severe operational risks and data breaches. Scanning activity identified multiple IP addresses, some from reputable hosting services, probing for vulnerable servers to deploy additional malicious payloads, and a specific IP was connected to the SuperShell backdoor used by the group dubbed "Chaya_004." This reflects a sophisticated threat landscape characterized by advanced operational capabilities and a reliance on compromised infrastructure, warranting further intelligence monitoring.Threats: chaya_004_group supershell cobalt_strike arl_tool pocassit_tool supply_chain_technique zgrab_scanner_tool lighthouseIndicators of compromise:-------------------------ip: 45[.]94[.]43[.]41, 47[.]97[.]42[.]177, 49[.]232[.]93[.]226, 135[.]119[.]17[.]221, 172[.]212[.]216[.]128, 20[.]118[.]200[.]88, 20[.]15[.]201[.]23, 20[.]150[.]192[.]39, 20[.]150[.]202[.]55, 20[.]163[.]15[.]93, 20[.]163[.]57[.]193, 20[.]163[.]74[.]20, 20[.]169[.]105[.]57, 20[.]169[.]48[.]59, 20[.]171[.]30[.]196, 20[.]171[.]9[.]108, 20[.]29[.]42[.]207, 20[.]65[.]193[.]234, 20[.]65[.]194[.]9, 20[.]65[.]195[.]20, 40[.]67[.]161[.]44, 13[.]228[.]100[.]218, 13[.]58[.]39[.]15, 18[.]142[.]70[.]42, 18[.]159[.]188[.]112, 3[.]12[.]99[.]176, 3[.]19[.]125[.]50, 3[.]65[.]236[.]123, 3[.]65[.]237[.]228, 3[.]77[.]117[.]203, 35[.]157[.]196[.]116, 52[.]74[.]236[.]95, 163[.]172[.]146[.]243, 212[.]28[.]183[.]85, 212[.]47[.]227[.]221, 212[.]56[.]34[.]86, 31[.]220[.]89[.]227, 51[.]15[.]223[.]138, 51[.]158[.]64[.]240, 51[.]158[.]97[.]138, 89[.]117[.]18[.]228, 89[.]117[.]18[.]230, 94[.]72[.]102[.]203, 94[.]72[.]102[.]225, 94[.]72[.]102[.]253, 8[.]210[.]65[.]56domain: search-email[.]comurl: http://47[.]97[.]42[.]177:8888/supershell/login, http://search-email[.]com:443/ServiceLogin/_/kids/signup/eligible, http://8[.]210[.]65[.]56:5000hash: - sha256=f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779, - sha256=888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29efemail:Title: one, Affected SituationsLink: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505926&idx=1&sn=13195b235e4276795aea09526e25a9b4&chksm=f9c1eb0fceb6621903751c85c932bd70315ea98332b3d5d114ba8f3bbbb9ecad8769cb480999&scene=178&cur_album_id=1955835290309230595&search_click_idSummary: The Transparent Tribe, a South Asian APT group, has expanded its cyber operations to mobile attacks, particularly targeting the agriculture and aviation sectors, with over sixty victim devices linked primarily to the Indian military. Notably, in August 2023, the group employed phishing tactics via spoofed Google Play pages to distribute a malicious chat application called Vibe, which is part of a new malware family named Dcpro. This application, designed for espionage, includes capabilities to steal sensitive data such as contacts and call records, with evidence suggesting a link to a C&C infrastructure associated with reputable Pakistani organizations and the presence of CapraRAT malware on one of the victim devices, highlighting the group's evolving tactics toward mobile platforms and ongoing focus on long-term intelligence gathering.Threats: transparenttribe_group dcpro caprarat rlmratIndicators of compromise:-------------------------ip: 95[.]217[.]147[.]103domain: waqarawan[.]xyz, honeybeechatt[.]com, vibechatt[.]chat, www[.]ghmeetag[.]xyz, syntheticschoolsystem[.]comurl: http://www[.]vibechatt[.]chat, https://vibechatt[.]chat/play-store-app/Vibe[.]apk, http://signalchat[.]chat/vibechatt[.]chat/play-store-app, http://signalchat[.]chat/vibechatt[.]chat/play-store-app/Vibe[.]apk, http://www[.]vibechatt[.]signalchat[.]chat/play-store-app, http://www[.]vibechatt[.]signalchat[.]chat/play-store-app/Vibe[.]apk, http://signalchat[.]chat/vibechatt[.]chat, https://www[.]honeybeechatt[.]com/play-store-app/updatee[.]apk, https://vibechatt[.]com/play-store-app/VibeApp[.]apkhash: - md5=7508dd2a6f8a6b051c12fa6fb257f1ab, - md5=291b7062cfe987973b24f42a229153ab, - md5=c6756f595ef16e6e8f2a49c251a75bc4, - md5=fc54078c5ae26d856109d306c37909ae, - md5=72900574563dfef2e30eb17229b8831cemail:Title: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their ArsenalLink: https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.htmlSummary: Research into the Agenda ransomware group, also known as Qilin, has uncovered their use of two significant malware components: SmokeLoader and a newly identified loader called NETXLOADER. Investigations conducted between late 2024 and early 2025 indicate that they targeted various industries, such as healthcare, technology, financial services, and telecommunications in multiple countries, including the US and India. NETXLOADER is a stealthy .NET-based loader that facilitates the deployment of Agenda ransomware and SmokeLoader by using complex obfuscation techniques and transient domains to avoid detection. SmokeLoader demonstrates advanced anti-analysis capabilities, including an opaque predicate method and various checks to ensure it operates in a suitable environment, subsequently injecting its payload into the Windows Explorer process. It also employs strategies to monitor and suppress security tools, while maintaining encrypted communication with its command and control infrastructure to conceal its activities.Threats: qilin_ransomware smokeloader netxloader dotnet_reactor_tool eziriz_tool process_injection_technique process_hacker_toolIndicators of compromise:-------------------------ip: domain: bloglake7[.]cfd, mxbook17[.]cfd, mxblog77[.]cfdurl: http://mxblog77[.]cfd/777/rh1jcr4[.]exe, http://serverlogs295[.]xyz/statweb255/index[.]php, http://servblog475[.]cfd/statweb255/index[.]php, http://demblog797[.]xyz/statweb255/index[.]php, http://admlogs457[.]cfd/statweb255/index[.]php, http://blogmstat599[.]xyz/statweb255/index[.]php, http://bloglogs757[.]cfd/statweb255/index[.]php, http://pzh1966[.]com/statweb255/index[.]php, http://mxblog77[.]cfd/777hash: - sha1=4684aa8ab09a70d0e25139286e1178c02b15920b, - sha1=f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3, - sha1=05bf016c137230bfdc6eaae95b75a56aff76799d, - sha1=bdf33e2ba85f35ea86fb016620371fe80855fe68, - sha1=16b776ff80f08105b362f9bc76c73a21c51664c2, - sha1=1399e63d4662076eeed3b4498c2f958c611a4387email:Title: Lampion Is Back With ClickFix LuresLink: https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/Summary: The Lampion campaign, recently identified by Unit 42, is targeting various Portuguese sectors, particularly government, finance, and transportation, utilizing the long-standing Lampion malware, which has been operational since at least 2019. The campaign employs advanced social engineering tactics, specifically ClickFix lures, to deceive victims into executing harmful commands under the guise of troubleshooting. Attackers initiate the process via phishing emails containing malicious ZIP files, leading to a fraudulent tax authority website where victims unknowingly execute a malicious PowerShell command. This command triggers an infection process characterized by highly obfuscated scripts designed to evade detection, complicating security analysis and hindering timely responses. The campaign demonstrates adaptability by exploiting user behavior and the effectiveness of ClickFix tactics, while also revealing potential oversight in the attackers' strategy, evidenced by comments within the scripts that may indicate an unfinished or experimental phase of their operations.Threats: lampion clickfix_technique lumma_stealer netsupportmanager_rat bloat_techniqueIndicators of compromise:-------------------------ip: 5[.]8[.]9[.]77, 83[.]242[.]96[.]159, 18[.]221[.]69[.]167, 18[.]222[.]97[.]143, 18[.]116[.]15[.]129, 18[.]220[.]96[.]58, 3[.]135[.]200[.]135, 18[.]191[.]192[.]110, 18[.]224[.]38[.]123, 18[.]118[.]163[.]100, 3[.]147[.]127[.]14, 3[.]138[.]32[.]196, 18[.]117[.]11[.]70, 18[.]117[.]173[.]119, 18[.]116[.]28[.]153, 3[.]16[.]76[.]203, 3[.]15[.]7[.]241, 3[.]15[.]155[.]141, 18[.]117[.]71[.]203, 3[.]133[.]160[.]140, 3[.]133[.]113[.]215, 3[.]143[.]24[.]42, 18[.]217[.]180[.]185, 3[.]23[.]105[.]171, 3[.]142[.]200[.]117, 3[.]128[.]34[.]187, 18[.]191[.]240[.]233, 3[.]147[.]86[.]100domain: autoridade-tributaria[.]comurl: http://18[.]116[.]63[.]61/ifeellike[.]php, http://18[.]116[.]63[.]61/trogloditas[.]php, http://3[.]135[.]249[.]199/prayfor[.]php, http://18[.]226[.]150[.]56/persistir[.]php, http://3[.]142[.]40[.]36/grow[.]php, http://3[.]23[.]103[.]13/stick[.]php, https://inde-faturas[.]com/54879878hash: - sha256=ee4c8e4cce55bd40afa1fb0bc0eee3d7c23d0ebe2db48c2092e854f6ca1472ce, - sha256=4aeb84dd71588a35084109ff5525c7bff2f30e0ed58ce139621b17f2374bdb35, - sha256=bba48cf24bb9e6bdcbc79c2241f101e3dd4127ab450e3dbbe1b79fa738f06483, - sha256=29b63fcf8e5f08fd12166507b3a85746e3ec685ae0620a124e64125ecd9ccf9b, - sha256=58fe2a7d4435c9c24c98d33aff1110add4bf95add31558f51289a028ddafcc6e, - sha256=334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d, - sha256=1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3email:Title: Interlock Intrusion: How Interlock Achieves EncryptionLink: https://www.guidepointsecurity.com/blog/interesting-interlock-intrusion-how-interlock-achieves-encryption/Summary: The ransomware group "Interlock" executed a complex multi-stage attack that began with the distribution of SocGholish malware through a compromised legitimate website, utilizing social engineering tactics to manipulate users into executing a malicious JavaScript payload. Once inside the victim's network, the attackers implemented a NodeJS application to establish an HTTP tunnel, installed a backdoor via NetSupportRAT for persistent access, and conducted reconnaissance activities, including privilege escalation to take control of administrator accounts. The culmination of the attack involved manipulating Active Directory credentials to lock the organization out of their Microsoft 365 tenant, followed by the exfiltration of sensitive data using the legitimate Azure tool AZCopy, and ultimately deploying Interlock ransomware across the network for extensive file encryption, showcasing a notable evolution in ransomware tactics.Threats: interlock socgholish_loader netsupportmanager_rat azcopy_tool bitsadmin_tool advanced-port-scanner_tool dumplsass_tool rclone_tool bianlian_group rhysida anydesk_tool psexec_tool spear-phishing_technique credential_dumping_technique smuggling_techniqueIndicators of compromise:-------------------------ip: 23[.]227[.]203[.]162, 65[.]109[.]226[.]176, 65[.]38[.]120[.]47domain: zoloft-indianapolis-riders-convinced[.]trycloudflare[.]com, bidder-horizontal-wildlife-invoice[.]trycloudflare[.]com, name-kw-papua-booking[.]trycloudflare[.]com, bristol-weed-martin-know[.]trycloudflare[.]com, musicians-forestry-operation-angels[.]trycloudflare[.]com, peter-secrets-diana-yukon[.]trycloudflare[.]comurl: https://talentohc[.]com, http://emildeeeabebggm[.]top/1[.]php, https://diff-beats-belize-chapter[.]trycloudflare[.]com/12341234, https://andrixdesign[.]com/kzz/c1ub[.]zip, https://andrixdesign[.]com/kzf, https://azureapp[.]blob[.]core[.]windows[.]nethash: email:Title: APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & LinuxLink: https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defenceSummary: Threat actors have launched a sophisticated cyber attack reminiscent of the APT36 group, utilizing counterfeit imagery from India’s Ministry of Defence to distribute cross-platform malware through fraudulent websites. The operation features cloned web pages that employ social engineering tactics tailored to both Linux and Windows users, manipulating interfaces to disguise malicious activity while utilizing compromised domains, such as email.gov.in.drdosurvey.info, to host malicious content. Key indicators of the campaign include the registration of domains mimicking official government subdomains and specific tactics to evade detection, like utilizing decoy documents and customizing user experiences based on operating systems, revealing a calculated approach to undermine trust and security in government communications.Threats: clickfix_technique httrack_tool transparenttribe_group typosquatting_techniqueIndicators of compromise:-------------------------ip: 185[.]117[.]90[.]212domain: trade4wealth[.]in, drdosurvey[.]info, avtzyu[.]store, email[.]gov[.]in[.]drdosurvey[.]info, email[.]gov[.]in[.]avtzyu[.]storeurl: https://trade4wealth[.]in/admin/assets/js, https://trade4wealth[.]in/admin/assets/css/default/index[.]php, https://trade4wealth[.]in/admin/assets/css/default/sysinte[.]htahash: - sha256=7087e5f768acaad83550e6b1b9696477089d2797e8f6e3f9a9d69c77177d030eemail:Title: Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT MalwareLink: https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malwareSummary: A recent email campaign has been detected targeting organizations in Spain, Italy, and Portugal to distribute a Remote Access Trojan (RAT) named Ratty. Disguised as a legitimate document, the malware leverages the serviciodecorreo email provider to bypass Sender Policy Framework (SPF) validation, and employs social engineering tactics to entice recipients into downloading a malicious Java-based file labeled "FA-43-03-2025.jar" via a deceptive button in the email attachment. The attackers utilize Ngrok to generate temporary, geolocation-based URLs that redirect users to targeted malicious content, while avoiding detection by traditional security measures, further exemplifying modern complexities in malware distribution and attack strategies.Threats: ngrok_tool rattyrat cloaking_techniqueIndicators of compromise:-------------------------ip: 143[.]47[.]53[.]106, 130[.]51[.]20[.]126, 199[.]232[.]210[.]172domain: jw8ndw9ev[.]localto[.]net, l5ugb6qxh[.]localto[.]neturl: https://download1528[.]mediafire[.]com/35ougpab4uhgHgb3Pmqh8niQ0hzS9b-TtTro5oPV5iUIULfNckqgXvjXQ6aTp-NF-k8EflSnFWC--Ffh4aX1NlYrzaPzgFlyxHVe0fKkLE1p3u5cntfU25orm92QdoQmXE9-gyI4hRgSYpaNcd3o12kJnPRbJhD3aqbl1Qx3vqbUtk8/ayp0ikmndrdseht/FA-43-03-2025[.]jarhash: - sha256=a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731, - sha256=d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600, - sha256=9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876, - sha256=5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880, - sha256=6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e, - sha256=469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475, - sha256=af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793email:Title: Lumma Stealer, coming and goingLink: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/Summary: In September 2024, researchers uncovered an active campaign involving Lumma Stealer, an infostealer malware first identified in mid-2022, attributed to a Russian-language developer operating under a Malware-as-a-Service model. This malware targets sensitive information by directing victims to phishing sites that mimic legitimate CAPTCHA verifications, prompting users to input a malicious PowerShell command that installs Lumma Stealer. Once executed, the malware connects to various command-and-control servers to exfiltrate sensitive data, including browser credentials and personal information. The campaign exploits thousands of fake CAPTCHA sites and employs sophisticated delivery methods, including obfuscated scripts, complicating detection efforts.Threats: lumma_stealerIndicators of compromise:-------------------------ip: 104[.]21[.]84[.]25, 141[.]193[.]213[.]10domain: snail-r1ced[.]cyou, peelyitemsn[.]click, sordid-snaked[.]cyou, immureprech[.]biz, deafeninggeh[.]biz, effecterectz[.]xyz, diffuculttan[.]xyz, debonairnukk[.]xyz, wrathful-jammy[.]cyou, awake-weaves[.]cyouurl: https://camplytic[.]com/go/cdff9f96-8cbd-4c44-b679-2f612a64cd00, https://sos-at-vie-1[.]exo[.]io/store-as/cloudflare-new-artist[.]html, https://fixedzip[.]oss-ap-southeast5[.]aliyuncs[.]com/new-artist[.]txt, https://fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/artist[.]zip, https://news[.]sophos[.]com/en-us/2025/05/09/lumma-stealer-coming-and-going, https://fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt, https://FUGTGU76v1[.]b-cdn[.]net/nxt/ilt[.]txt, https://FUGTGU76v1[.]b-cdn[.]net/iltst[.]zip, https://fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/pioneer[.]txt, https://fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/pioneer[.]zip, https://evolytix[.]com/wp-includes/fonts/CewtlSPn[.]txt, https://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www[.]google[.]com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26, https://usermanualplatform[.]com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE, https://usermahnualplatform-14[.]site/MNL14/instruction_695-18014-012_rev[.]php, https://klipdexypoi[.]shop/wassap[.]mp4hash: - sha256=05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7, - sha1=e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a, - sha1=337424610694e00ebac66d36dd20e535c7a92164email:Title: Lumma Infostealer Continues Its GitHub Social Engineering CampaignLink: https://www.picussecurity.com/resource/blog/lumma-infostealer-continues-its-github-social-engineering-campaignSummary: Lumma Stealer is an increasingly popular information-stealing malware detected in 2024-2025, marketed as a Malware-as-a-Service (MaaS) by a threat actor known as "Shamel" or "Lumma" since August 2022. The malware leverages social engineering tactics, often impersonating trusted platforms like GitHub to deliver its payloads and has seen a dramatic 369% increase in infections within this timeframe. It employs advanced defense evasion methods, including virtual machine detection and payload encryption, while executing attacks through legitimate system tools like PowerShell. Once installed, Lumma Stealer targets web browsers to harvest sensitive data, including passwords and cryptocurrency information, which is then exfiltrated to attackers' servers via encrypted channels. Its persistence mechanisms and sophisticated techniques such as process hollowing and Base64 encoding further enhance its ability to evade detection.Threats: lumma_stealer polyglot_technique dll_sideloading_technique process_hollowing_technique stargazer_goblin_group spear-phishing_technique smartloader lolbin_technique junk_code_technique process_injection_technique dll_injection_technique mimikatz_tool deathransom kryptikIndicators of compromise:-------------------------ip: domain: lumdukekiy[.]shopurl: https://app[.]mediafire[.]com/5mrkd33xulszl, https://kiddoloom[.]shop/s7[.]mp4, https://n2[.]aroundpayablequirk[.]shop/s7[.]xllhash: - sha256=b127de888f09ce23937c12b7fccfa47a8f48312b0e43eb59b6243f665c6d366a, - sha256=0e5ccc54ceff545116e9d83249bc9955b4934fb4bcbcb0974e7c7b437a8ce45femail:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
## Tool/Technique: More\_eggs Backdoor
## Overview
More\_eggs is a sophisticated backdoor malware utilized by the financially motivated threat group Venom Spider. It is designed to steal credentials and exfiltrate data from compromised human resources departments, which are targeted via spear-phishing campaigns that lead to malicious downloads.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows
- Capabilities: Credential theft, data exfiltration, advanced obfuscation, server-side polymorphism, remote command execution.
- First Seen: (Not explicitly stated in the summary, derived from 2024-2025 context)
## MITRE ATT&CK Mapping
This analysis maps known behaviors associated with the described capabilities:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied by C2 communication)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Execution via spear-phishing emails containing fake resumes, leading to a malicious website to download a ZIP file containing a Windows shortcut.
- Credential theft.
- Data exfiltration.
### Advanced Features
- **Server-Side Polymorphism:** Allows the malware to generate unique payloads to evade detection.
- **Obfuscation Techniques:** Utilizes advanced obfuscation to hide malicious intent.
- **Time Delays:** Incorporation of time delays to slow down automated analysis.
- **Use of Legitimate System Commands:** Employs legitimate system commands as a defense evasion technique (likely LOLBIN usage, inferred from associated threat context).
## Indicators of Compromise
- File Hashes:
- MD5: `ec103191c61e4c5e55282f4ffb188156`, `c16aa3276e4bcbbe212d5182de12c2b7`, `ebb5fb96bf2d8da2d9f0f6577766b9f1`, `2da2f53ffd9969aa8004d0e1060d2ed1`, `17158538b95777541d90754744f41f58`, `46f142198eeeadc30c0b4ddfbf0b3ffd`, `b1e8602e283bbbdf52df642dd460a2a2`
- SHA256: `f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016`, `bd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f`, `2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c`, `0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83`, `f873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b`, `184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb`, `ccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700d`
- File Names: Windows shortcut file residing in a downloaded ZIP file.
- Registry Keys: (Not explicitly stated)
- Network Indicators:
- IP: `208[.]109[.]231[.]95`
- Domains: `municipiodechepo[.]org`, `ryanberardi[.]com`, `doefstf[.]ryanberardi[.]com`, `dtde[.]ryanberardi[.]com`, `tool[.]municipiodechepo[.]org`
- URLs: `http://doefstf[.]ryanberardi[.]com/ikskck`, `https://tool[.]municipiodechepo[.]org/id/243149`, `http://doefstf[.]ryanberardi[.]com`, `http://dtde[.]ryanberardi[.]com`, `http://dtde[.]ryanberardi[.]com/ikskck`, `https://beta[.]w3[.]org[.]kz/release/info`, `https://host[.]moresecurity[.]kz/host/info`, `https://report[.]monicabellucci[.]kz/295693495/info`, `https://cast[.]voxcdn[.]kz/yui/yui-min[.]js`, `https://contactlistsagregator[.]com/j2378745678674623/ajax[.]php`, `https://onlinemail[.]kz/version44/info`, `https://stats[.]wp[.]org[.]kz/license[.]txt`, `https://api[.]incapdns[.]kz/v1`
- Behavioral Indicators: Communication with C2 servers for remote command execution.
## Associated Threat Actors
- Venom Spider (Financially motivated group)
## Detection Methods
- Signature-based detection targeting known hashes.
- Behavioral detection focusing on execution flow involving shortcuts and subsequent network callbacks.
- Detection of polymorphism-related patterns or time-delayed execution.
## Mitigation Strategies
- Enhance email filtering to block spear-phishing attempts targeting HR departments.
- Restrict execution privileges for untrusted scripts launched from common locations.
- Monitor for unusual network connections to newly registered or suspicious domains used for C2.
## Related Tools/Techniques
- Terraloader (Mentioned as an associated threat component, likely used for initial delivery/loading).
- LOLBIN Usage (Implied technique used by the malware).
***
## Tool/Technique: SAP NetWeaver Visual Composer Web Shell (CVE-2025-31324 Exploitation)
## Overview
This describes an active exploitation campaign targeting manufacturing sectors by Chinese threat actors (Chaya\_004 group) leveraging a vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer. The exploitation installs malicious web shells to gain control over SAP applications.
## Technical Details
- Type: Exploited Vulnerability leading to Web Shell/Backdoor deployment
- Platform: SAP NetWeaver (Server-Side)
- Capabilities: Remote Code Execution (RCE) via file upload, web shell deployment, manipulation of SAP applications, backdoor installation.
- First Seen: (Implied from "Exploited In The Wild")
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0002 - Execution**
- T1129 - Exploitation for Client Execution (If RCE leads to lateral movement)
- **TA0003 - Persistence**
- T1505 - Server Software Compromise
- T1505.003 - Web Shell
- **TA0010 - Exfiltration** (Implied goal of granting access)
## Functionality
### Core Capabilities
- Exploiting CVE-2025-31324 in SAP NetWeaver Visual Composer via the `/developmentserver/metadatauploader` endpoint.
- Uploading malicious web shells to gain persistence and manipulate SAP applications.
### Advanced Features
- **Sophisticated Infrastructure Reliance:** Use of legitimate hosting services and compromised infrastructure for staging and control.
- **SuperShell Backdoor:** Deployment of the SuperShell backdoor for ongoing malicious activity.
## Indicators of Compromise
- File Hashes: (Not explicitly provided for the web shell/SuperShell in this subsection)
- File Names: Web shells planted on the server.
- Registry Keys: (Not applicable for server-side RCE via HTTP endpoint)
- Network Indicators:
- IP Addresses (Scanning/C2 Activity): `45[.]94[.]43[.]41`, `47[.]97[.]42[.]177`, `49[.]232[.]93[.]226`, `135[.]119[.]17[.]221`, `172[.]212[.]216[.]128`, `20[.]118[.]200[.]88`, `20[.]15[.]201[.]23`, `20[.]150[.]192[.]39`, `20[.]150[.]202[.]55`, `20[.]163[.]15[.]93`, `20[.]163[.]57[.]193`, `20[.]163[.]74[.]20`, `20[.]169[.]105[.]57`, `20[.]169[.]48[.]59`, `20[.]171[.]30[.]196`, `20[.]171[.]9[.]108`, `20[.]29[.]42[.]207`, `20[.]65[.]193[.]234`, `20[.]65[.]194[.]9`, `20[.]65[.]195[.]20`, `40[.]67[.]161[.]44`, `13[.]228[.]100[.]218`, `13[.]58[.]39[.]15`, `18[.]142[.]70[.]42`, `18[.]159[.]188[.]112`, `3[.]12[.]99[.]176`, `3[.]19[.]125[.]50`, `3[.]65[.]236[.]123`, `3[.]65[.]237[.]228`, `3[.]77[.]117[.]203`, `35[.]157[.]196[.]116`, `52[.]74[.]236[.]95`, `163[.]172[.]146[.]243`, `212[.]28[.]183[.]85`, `212` (Incomplete list)
- Behavioral Indicators: Scanning activity targeting SAP NetWeaver servers.
## Associated Threat Actors
- Chaya\_004\_group (Chinese Threat Actor)
## Detection Methods
- Network monitoring for web requests hitting the `/developmentserver/metadatauploader` endpoint with suspicious payloads.
- Vulnerability scanning to identify systems missing patches for CVE-2025-31324.
- Use of specialized tools like zgrab\_scanner\_tool to discover vulnerable hosts.
## Mitigation Strategies
- Immediately patch **CVE-2025-31324** in SAP NetWeaver Visual Composer.
- Restrict external access to maintenance/development endpoints on SAP systems.
- Monitor for the command and control infrastructure associated with SuperShell backdoor callbacks.
## Related Tools/Techniques
- SuperShell (Backdoor deployed post-exploitation)
- Cobalt Strike (Likely used for C2 post-exploitation framework)
- ZGrab Scanner (Used for discovery/scanning)
- ARL Tool, PoC Assist Tool (Mentioned related utilities)
***
## Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an actively marketed Malware-as-a-Service (MaaS) information-stealing malware first detected around August 2022. It is currently employing GitHub impersonation for aggressive social engineering to achieve high infection rates, targeting sensitive data such as credentials and cryptocurrency information from web browsers.
## Technical Details
- Type: Malware (Infostealer)
- Platform: Windows (Implied by process hollowing and PowerShell usage)
- Capabilities: Credential theft (browsers), cryptocurrency theft, advanced defense evasion, payload encryption, persistence, data exfiltration over encrypted channels.
- First Seen: August 2022 (Marketing start)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via social engineering campaigns often impersonating trusted platforms)
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.009 - Process Hollowing
- T1027 - Obfuscated Files or Information
- T1027.006 - Space after the string
- **TA0008 - Lateral Movement** (Implied C2/payload delivery)
- **TA0006 - Credential Access**
- T1555 - Credentials from Credential Stores
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol
## Functionality
### Core Capabilities
- Harvesting sensitive data from web browsers (passwords, cryptocurrency details).
- Exfiltrating stolen data via encrypted channels to attacker servers.
- Maintaining persistence on the compromised host.
### Advanced Features
- **Defense Evasion:** Includes virtual machine (VM) detection to avoid analysis sandboxes.
- **Payload Obfuscation:** Uses Base64 encoding for obfuscation (junk\_code as a related term).
- **Process Hollowing & Injection:** Deploys sophisticated techniques like DLL Sideloading and Process Hollowing for execution stealth.
- **Execution via Legitimate Tools:** Leverages PowerShell for executing attack stages.
## Indicators of Compromise
- File Hashes:
- SHA256: `b127de888f09ce23937c12b7fccfa47a8f48312b0e43eb59b6243f665c6d366a`, `0e5ccc54ceff545116e9d83249bc9955b4934fb4bcbcb0974e7c7b437a8ce45f`
- File Names: `.mp4` files used in the delivery chain (e.g., `s7.mp4`, `wassap.mp4`) leading to the final payload.
- Registry Keys: (Not explicitly stated)
- Network Indicators:
- Domains: `lumdukekiy[.]shop`
- URLs: `https://app[.]mediafire[.]com/5mrkd33xulszl`, `https://kiddoloom[.]shop/s7[.]mp4`, `https://n2[.]aroundpayablequirk[.]shop/s7[.]xll`
- Behavioral Indicators: Use of PowerShell, network traffic encrypted communications, anti-VM checks.
## Associated Threat Actors
- Shamel / Lumma (MaaS operator)
- Stargazer Goblin Group (Associated group)
## Detection Methods
- Signature targeting known Lumma Stealer hashes.
- Behavioral monitoring for unauthorized use of PowerShell combined with file dropping/renaming.
- Detecting known DLL Sideloading patterns or memory artifacts indicative of Process Hollowing.
## Mitigation Strategies
- Implement strong endpoint detection and response (EDR) to monitor for memory injection techniques.
- Restrict applications from executing PowerShell scripts without proper signing or justification.
- Educate users on social engineering attempts, especially those impersonating GitHub or other trusted sources.
## Related Tools/Techniques
- Mimikatz (Often used adjunctively by stealer malware)
- SmartLoader (Delivery mechanism mentioned)
- DLL Sideloading, Process Hollowing (Execution techniques)