Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 66 threat intelligence reports and compiled a concise summary of each report, along with the pertinent metadata that was gathered. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Blind Eagle: And Justice for AllLink: https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/Summary: Blind Eagle, also known as APT-C-36, is an advanced persistent threat group targeting Colombian institutions since 2018, employing social engineering tactics like phishing to distribute malware. The group has recently exploited the CVE-2024-43451 vulnerability for lateral movement within networks and has utilized the Remcos Remote Access Trojan (RAT) alongside HeartCrypt for obfuscation in their operations. Notably, their methods include the use of legitimate file-sharing platforms for malware distribution, with a significant infection rate evidenced by a December 2024 campaign that affected over 1,600 individuals in judicial institutions.Threats: blindeagle_group socialismo_campaign paraiso2_campaign marte saturno_campaign paraiso_campaign remcos_rat passthehash_technique heartcrypt purecryptor njrat asyncrat uac-0194_group Infostealer.Win.Generic.F runpe_tool Infostealer.Win.PasswordStealer.A Trojan.Win.Unpacme.gl Trojan.Win.Benjaminbo_test.glIndicators of compromise:-------------------------ip: 181[.]131[.]217[.]244, 177[.]255[.]85[.]101domain: newstaticfreepoint24[.]ddns-ip[.]net, 17dic[.]ydns[.]eu, 21ene[.]ip-ddns[.]com, republicadominica2025[.]ip-ddns[.]com, elyeso[.]ip-ddns[.]com:30204, amuntgroupfree[.]ip-ddns[.]com, donato[.]con-ip[.]com, elyeso[.]ip-ddns[.]com, comina998[.]ddns-ip[.]net, 21ene[.]ip-ddns[.]com:30204url: https://drive[.]usercontent[.]google[.]com/download?id=1CZcgN1kxz9kSNgscR9qgiOAERo-w-rTa&export=download, https://drive[.]usercontent[.]google[.]com/download?id=1PZ2Ndi-GT-oQHlobFIdDJoSDSXkJvECV&export=download, https://drive[.]usercontent[.]google[.]com/download?id=1R9MR64hy-dQelTZMPtsrSXLWObFt7mf2&export=download, http://62[.]60[.]226[.]64/file/1374_2790[.]exe, http://62[.]60[.]226[.]64/file/3819_5987[.]exe, http://62[.]60[.]226[.]64/file/9451_1380[.]exe, https://raw[.]githubusercontent[.]com/Oscarito20222/file/refs/heads/main/redtube[.]exehash: - sha1=1d1e007a9d8939bee7a0333522cc4f7480d448cc, - sha1=133bc4304057317b0b93f5ff44f20d153b985b50, - sha1=1fcc44d3b20381acce66f5634743917e8f22dae7, - sha1=a0338654304b6f824bdc39bbb482a0e114f8a3a1, - sha1=07647f0eddf46d19e0864624b22236b2cdf561a1, - sha1=08daf84d9c2e9c51f64e076e7611601c29f68e90, - sha1=83c851f265f6d7dc9436890009822f0c2d4ba50a, - sha1=33ddaedc98991435f740f7a5a8a931a8cadd5391, - sha1=758c73ab9706ae6977f9b4601c20b3667836d3efemail:Title: Remote Monitoring and Management (RMM) Tooling Increasingly an Attackers First ChoiceLink: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choiceSummary: Cybercriminals are increasingly using legitimate remote monitoring and management (RMM) tools, such as ScreenConnect and Atera, as initial payloads in email-based attacks, marking a shift from traditional malware methods. This trend has become more pronounced in 2024, as threat actors like TA583 and TA2725 have shifted their strategies to directly deliver RMM tools through deceptive campaigns, often masquerading as trusted entities. The shift reflects an adaptation to disruptions in conventional malware infrastructures and highlights RMM tools' capabilities for data exfiltration and lateral movement within networks, posing significant risks as they blend in with legitimate software.Threats: screenconnect_tool fleetdeck_tool atera_tool netsupportmanager_rat toad_technique anydesk_tool teamviewer_tool ultraviewer_tool ta577_group ta571_group ta544_group blackbasta icedid systembc pikabot smokeloader bumblebee trickbot ta583_group asyncrat ta2725_group mispadu astaroth grandoreiro smartapesg_campaign uac-0050_group lumma_stealer rms_tool remcos_rat lite_manager_tool bluetrait connectwise_tool ultra_vnc_toolIndicators of compromise:-------------------------ip: 109[.]71[.]247[.]168, 185[.]157[.]213[.]71:443domain: retireafter5m[.]co, invoice007[.]zapto[.]org, instance-udm3tv-relay[.]screenconnect[.]comurl: https://region-businesss-esignals[.]s3[.]us-east-1[.]amazonaws[.]com/region-businesss-esignals-46980[.]html, https://ssastatementshelpcenter[.]de/top, https://retireafter5m[.]co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf[.]Client[.]exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1, https://safelink[.]vn/OsDXr, https://safelink[.]vn/GESLx, http://www[.]farrarscieng[.]com/re[.]php, https://3650ffice[.]anticlouds[.]su/Fraud_Alert_black, https://online[.]invoicesing[.]es/Bin/Statement[.]ClientSetup[.]exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=, https://online[.]invoicesing[.]es/Bin/Attachment[.]Client[.]exe?h=instance-w08c5r-relay[.]screenconnect[.]com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=c242c8a1-6914-4689-8deb-67789c4f3a34&i=&e=Support&y=Guest&r=, http://45[.]155[.]249[.]215/xxx[.]zip, https://kalika[.]bluetrait[.]io/apihash: - sha256=4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070, - sha256=b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0, - sha256=97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637eemail:Title: Head Mare and Twelve join forces to attack Russian entitiesLink: https://securelist.com/head-mare-twelve-collaboration/115887/Summary: In September 2024, targeted attacks against Russian companies were attributed to the hacktivist groups Head Mare and Twelve, suggesting notable collaboration between them. Head Mare utilized Twelve's CobInt backdoor alongside their own PhantomJitter backdoor, indicating a shift in their tactics as they expanded from phishing to infiltrating systems through compromised contractors. The attacks exploited vulnerabilities in WinRAR and Microsoft Exchange Server while employing various tools, including PowerShell for C2 communication and reconnaissance processes. The investigation revealed overlapping tools and C2 infrastructure between the two groups, underscoring their adaptive strategies and a concerning trend in the evolving cyber threat landscape.Threats: head_mare_group c0met_group mimikatz_tool adrecon secretsdump_tool procdump_tool localtonet_tool revsocks ngrok_tool cloudflared_tool fscan_tool mremoteng_tool smbexec_tool wmiexec_tool lockbit babuk cobint phantomjitter proxylogon_exploit nssm_tool rclone_tool ntdsutil_tool paexec_toolIndicators of compromise:-------------------------ip: 45[.]156[.]27[.]115, 45[.]156[.]21[.]148, 64[.]7[.]198[.]109, 185[.]229[.]9[.]27, 45[.]87[.]246[.]34, 185[.]158[.]248[.]107domain: 360nvidia[.]com, web-telegram[.]ukurl: http://web-telegram[.]uk/vivo[.]txthash: - md5=6008e6c3deaa08fb420d5efd469590c6, - md5=c21c5dd2c7ff2e4badbed32d35c891e6, - md5=70c964b9aeac25bc97055030a1cfb58a, - md5=87eecdcf34466a5945b475342ed6bcf2, - md5=96ec8798bba011d5be952e0e6398795demail:Title: Cyber Threat Hunting in Healthcare, Part 2: File Infectors, BotnetsLink: https://www.forescout.com/blog/cyber-threat-hunting-in-healthcare-part-2-file-infectors-botnets/Summary: Recent investigations into cybersecurity threats within the healthcare sector have revealed significant vulnerabilities, particularly associated with the DICOM protocol used across interconnected hospital systems. A campaign attributed to Chinese threat actors was identified, involving the Floxif/Pioneer malware targeting Siemens syngo fastView DICOM viewers, which embeds malicious code into executable files and exploits systems by downloading additional malware. Additionally, samples of the Panda Burning Incense malware were found infecting the Mindray Central Monitoring Station, and botnet samples exploiting default credentials for the GE Healthcare MUSE system were discovered, capable of reporting vulnerabilities and suggesting a potential shift towards broader exploitation methods within healthcare environments.Threats: floxif fujack darkhotel_group airdropbot mirai bashlite ddos-for-hire_campaign silver_fox_groupIndicators of compromise:-------------------------ip: 141[.]98[.]11[.]96, 91[.]234[.]99[.]177, 185[.]244[.]25[.]200, 185[.]244[.]25[.]202, 154[.]85[.]233[.]136domain: 9z9t[.]com, daohang08[.]com, stresser[.]pwurl: hash: - sha256=d7a79484965a3425c2ab4750d1283e80f9903b023f65aed347f0329818189d2d, - sha256=3bb1a8ef950e79184585eff7c44f15b6cbef66d90c128a69070e2ca0b2db50f6, - sha256=b2fc6d4e65e42174c09fb2d3ff902e7e31408fe36617e3e53c543418f3a9fc21, - sha256=975b9b27760f8b6db9874c6c74e7eee9122e7c8cd663f7212acc4a9edaf8222b, - sha256=178a0b90512f4013a7c6577e4595a89e5d8d6f8c8a85f672424dffa6c79d776f, - sha256=94951a1f9830d7a97286b5cc5a9b01b12c143e5c6d7aa9226642ed6507ab9d12, - sha256=a545d8993f069a237627c8fbcad60629404d61460efcdf084a8d276a90c57258, - sha256=d953b7cd781a0a3c31b8770b3179bdd1612f4ac058f8f78f2934c914457def92, - sha256=7fb44d3a60fedc6c9eb00bf51316d07aadf7e4062495ec917605b04c0b966db5, - sha256=a614796e796b3691a6c4175082d4d42246ebb0d36ac7bab311b3964f54749e4e, - sha256=38b61236407f4f28ee4d5b7798d1d6f5f3fc8cf937b9fc54c07d75464810ebc3, - sha256=8c570534b77d41bcacf1d2ecc7aec75c4ece59a80f0241f450a72e7de89c35c1, - sha256=6f91a07e48d01858ee308ef430c6dae3694d540687c2341e427b340dbfd31c32, - sha256=975ab3b9b306cada378bed98b68368cbf389c718767b91fde67df154c1e6417c, - sha256=61f640364ab398db7d32c87585481d3b34578324491c6070cc45d2ddd2faea1d, - sha256=29b30fd8e8dfe1308df164298b6dee16960c7f5b8cd70098ef542a8506c91ece, - sha256=e375646b471b137a9c65a444acc4d50153600e6d6cd0e995d7d569b05791bfce, - sha256=3d6a6cfb19e1e1a9cf8c9cd56b7477ecfed2de3acacd7b90345b3eba6c324ac8, - sha256=447a3b7a4b549fd237e31b4a833466690dfa75c12104e6d5bdac80d6c321336a, - sha256=d6155a83e85dad5f8e66267c99bc6152dff5a5f53ec67ccd3b8cf1f1a0193b73, - sha256=97f71348c5ebc187091ec61860110473ab4f2ca78dcae9890e5fbec5c45ad4beemail:Title: Unveiling EncryptHub: Analysis of a multi-stage malware campaignLink: https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/Summary: EncryptHub has been identified as a significant cybercriminal organization, with investigations revealing their operational infrastructure and tactics due to lapses in security practices. They utilize a multi-layered attack strategy involving trojanized applications of widely-used software, like QQ Talk and WeChat, to deliver malware and gain initial access to victim systems. Their operations include employing PowerShell scripts for data collection and employing third-party services like "LabInstalls" to automate malware distribution. Recent developments indicate a shift in their tactics towards advanced data exfiltration methods, targeting sensitive information such as cryptocurrency wallets and browser-stored passwords, while also manipulating security software for stealthier operations. EncryptHub is also reportedly working on a remote access tool, "EncryptRAT," to further enhance their capabilities.Threats: encrypthub_group encryptrat kematian_stealer rhadamanthysIndicators of compromise:-------------------------ip: 45[.]131[.]215[.]16, 64[.]95[.]13[.]166, 82[.]115[.]223[.]199, 85[.]209[.]128[.]128, 82[.]115[.]223[.]182, 193[.]149[.]176[.]228domain: paloaltonworks[.]com, encrypthub[.]us, concur[.]net[.]co, global-protect[.]net, global-protect[.]us, blackangel[.]dev, meets-gooie[.]com, fuckedserver[.]net, healthy-cleanse-fit[.]com, 353827-coinbase[.]com, conferx[.]live, b8-crypt0x[.]com, alphabit[.]vcurl: https://encrypthub[.]us/encrypthub/ram, https://encrypthub[.]us/encrypthub/ram/ram[.]ps1, https://encrypthub[.]us/encrypthub/ram/ram[.]exe, https://85[.]234[.]100[.]177/b97c5970b3a1f0ccc/iwbsn37q[.]xl2a8, http://31[.]41[.]244[.]11/files/5094364719/WClchuE[.]ps1, http://31[.]41[.]244[.]11/files/5094364719/T5NHWKA[.]ps1, http://31[.]41[.]244[.]11/files/5094364719/RRFd0ev[.]ps1, http://31[.]41[.]244[.]11/files/5094364719/wVjWGck[.]ps1, http://185[.]215[.]113[.]39/files/5094364719/pcuy9xE[.]ps1, http://185[.]215[.]113[.]39/files/5094364719/fpEu4ir[.]ps1, http://185[.]215[.]113[.]39/files/5094364719/RNsgUnN[.]ps1, http://185[.]215[.]113[.]39/files/5094364719/7GVy9sB[.]ps1, http://185[.]215[.]113[.]97/files/5094364719/LR8QUOU[.]ps1hash: - sha256=90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd, - sha256=1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1, - sha256=411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd, - sha256=532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3, - sha256=4af6e5a266577ccc2dca9fcbe2f56a9673947f6f3b5b9d1d7eb740613fce80d4, - sha256=1661e8f8758526f913e4400af8dbfa7587794ba9345f299fa50373c7140e5819, - sha256=f687fe9966f7a2cb6fdc344d62786958edc4a9d9b8389a0e2fea9907f90cfde2, - sha256=37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87, - sha256=7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1, - sha256=cc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f, - sha256=c5f07de4d69742b5a4492f87902c1907948149052a9522719b1f14ab3cb03515, - sha256=cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c, - sha256=725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f, - sha256=db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad, - sha256=6b249d6421f4c8c04ca11febb0244f333aa49ca6a28feee62b7c681960a86ad5, - sha256=5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5, - sha256=522fd6a56589f3ce764c88846006cca8c37ccbb286c6d2754ea979a59909271d, - sha256=c124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0, - sha256=21b99435d0cf1f9845feb795c83cbf9d10211e6bc26460f4cdcfcd57569054fe, - sha256=381695385bde0f96ad93dcbab79b3fc40f84e497c0b6afd087d2f1a2fbf824c3, - sha256=9d9829ff50f5195ef4c1ebee6cf430c013ad47665657ef9a6c3bc0b9911a40c4, - sha256=ecb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef, - sha256=f2836437090bfb8ff878c9a8aee28e036adc4ad7c73a51623c5c6ff12445a741, - sha256=07397a113756805501a3f73a027977011849a90053f2a966053711f442d21b8d, - sha256=06628b0447c94dd270ecaf798bd052891cda386d504a20d439eb994004ff483c, - sha256=e4fc16fb36a5cd9e8d7dfe42482e111c7ce91467f6ac100a0e76740b491df2d4, - sha256=977198c47d5e7f049c468135f5bde776c20dcd40e8a2ed5adb7717c2c44be5b9, - sha256=fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3email:Title: Lazarus Strikes npm Again with New Wave of Malicious PackagesLink: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packagesSummary: The Socket Research Team has identified six malicious npm packages linked to North Korea's Lazarus Group, which aim to infiltrate developer environments and facilitate data theft and backdoor access using embedded BeaverTail malware. The packages, which mimic popular libraries to engage in typosquatting, have been downloaded over 330 times and employ sophisticated obfuscation techniques to gather sensitive system information and extract cryptocurrency wallet data. These packages communicate with a hardcoded command and control server for data exfiltration and demonstrate a multi-stage deployment strategy, illustrating the Lazarus Group's ongoing evolution and tactics in exploiting software supply chains to execute cyber attacks.Threats: lazarus_group contagious_interview_campaign beavertail supply_chain_technique typosquatting_technique invisibleferretIndicators of compromise:-------------------------ip: 172[.]86[.]84[.]38domain: url: http://172[.]86[.]84[.]38:1224/uploads, http://172[.]86[.]84[.]38:1224/pdown, http://172[.]86[.]84[.]38:1224/client/9/902hash: - sha256=6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0email: edanjohn1991@gmail[.]com, hottblaze012@gmail[.]com, ricardoalexis0629@gmail[.]com, alextucker@softworldnet[.]com, elondavid888@gmail[.]com, robustplutus@gmail[.]comTitle: Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper RoutersLink: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/Summary: In mid-2024, Mandiant uncovered the infiltration of Juniper Networks' Junos OS routers by the espionage group UNC3886, linked to China, which utilized custom backdoors, chiefly one called TINYSHELL. These backdoors featured advanced functions, including the ability to disable logging mechanisms and were specifically targeted at end-of-life Juniper MX routers that typically lack adequate security monitoring, enabling stealthy, long-term access. Mandiant's investigation revealed the group’s sophisticated techniques involved process injection methods to evade security measures, exploitation of legitimate credentials, and various payloads for manipulating logging behavior, allowing for undetected access and potential data exfiltration.Threats: unc3886_group tinyshell volt_typhoon_group ghostemperor_group process_injection_technique lmpad gobrat libpcap_tool reptile medusa_rootkit seaelf pithook ghosttownIndicators of compromise:-------------------------ip: 129[.]126[.]109[.]50:22, 116[.]88[.]34[.]184:22, 223[.]25[.]78[.]136:22, 45[.]77[.]39[.]28:22, 101[.]100[.]182[.]122:22, 118[.]189[.]188[.]122:22, 158[.]140[.]135[.]244:22, 8[.]222[.]225[.]8:22domain: url: tcp://101[.]100[.]182[.]122:22, tcp://118[.]189[.]188[.]122:22, tcp://158[.]140[.]135[.]244:22, tcp://8[.]222[.]225[.]8:22hash: - md5=2c89a18944d3a895bd6432415546635e, sha256=98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888, sha1=50520639cf77df0c15cc95076fac901e3d04b708, - md5=aac5d83d296df81c9259c9a533a8423a, sha1=1a6d07da7e77a5706dd8af899ebe4daa74bbbe91, sha256=5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2, - sha256=c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3, sha1=06a1f879da398c00522649171526dc968f769093, md5=8023d01ffb7a38b582f0d598afb974ee, - sha1=f8697b400059d4d5082eee2d269735aa8ea2df9a, sha256=5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a, md5=5724d76f832ce8061f74b0e9f1dcad90, - sha256=905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b, sha1=cf7af504ef0796d91207e41815187a793d430d85, md5=e7622d983d22e749b3658600df00296d, - sha1=01735bb47a933ae9ec470e6be737d8f646a8ec66, md5=b9e4784fa0e6283ce6e2094426a02fce, sha256=e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed, - sha256=3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e, sha1=cec327e51b79cf11b3eeffebf1be8ac0d66e9529, md5=bf80c96089d37b8571b5de7cab14dd9f, - md5=3243e04afe18cc5e1230d49011e19899, sha1=2e9215a203e908483d04dfc0328651d79d35b54f, sha256=7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4email:Title: KoSpyLink: https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37Summary: KoSpy is an Android spyware linked to the North Korean cyber group APT37, also known as ScarCruft, which targets Korean and English-speaking users. Discovered in March 2022, it masquerades as legitimate utility applications to lure victims and operates through a sophisticated two-stage command and control (C2) system, utilizing Firebase Firestore for configurations and ensuring flexibility against detection. The spyware is capable of collecting sensitive data like SMS messages, call logs, geolocation, and audio recordings, employing hardcoded AES encryption for secure communication with its C2 servers. KoSpy's infrastructure overlaps with that of another North Korean group, APT43, complicating attribution, while its removal from Google Play Store has not eliminated its presence on third-party platforms.Threats: kospy scarcruft_group kimsuky_group konni_ratIndicators of compromise:-------------------------ip: 27[.]255[.]79[.]225domain: naverfiles[.]com, mailcorp[.]center, nidlogon[.]com, joinupvts[.]org, resolveissue[.]org, crowdon[.]infourl: https://goldensnakeblog[.]blogspot[.]com/2023/02/privacy-policy[.]htmlhash: - sha1=911d9f05e1c57a745cb0c669f3e1b67ac4a08601, - sha1=cd62a9ab320b4f6be49be11c9b1d2d5519cc4860, - sha1=2d1537e92878a3a14b5b3f55b32c91b099513ae0, - sha1=f08f036a0c79a53f6b0c9ad84fb6eac1ac79c168, - sha1=df39ab90c89aa77a92295721688b18e7f1fdb38d, - sha1=ea6d12e4a465a7a44cbad12659ade8a4999d64d1, - sha1=1cc97e490b5f8a582b6b03bdba58cb5f1a389e78, - sha1=1a167b65be75fd0651bbda072c856628973a3c1e, - sha1=985fd1f74eb617b1fea17095f9e991dcaceec170, - sha1=744e5181e76c68b8b23a19b939942de9e1db1daa, - sha1=062a869caac496d0182decfadc57a23057caa4ab, - sha1=b84604cad2f3a80fb50415aa069cce7af381e249, - sha1=3278324744e14ddf4f4312d375f82b31026f51b5, - sha1=5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171email: mlyqwl@gmail[.]comTitle: Konni’s Latest AsyncRAT Attack: Infection Technique Leveraging LNK FilesLink: https://www.enki.co.kr/media-center/blog/konni-s-asyncrat-attack-lnk-based-infectionSummary: The report details a recent cyber attack attributed to the North Korean hacking group Konni, highlighting their use of LNK files as vectors for malware distribution, specifically AsyncRAT. The investigation, which utilized VirusTotal's hunting feature, revealed that Konni employed cloud services like Dropbox and Google Drive to disseminate malware and to maintain an infection log. Key findings include the execution of obfuscated commands through PowerShell scripts within file metadata, as well as the group's strategic evolution in malware delivery by allowing dynamic specification of execution parameters, complicating efforts to trace their activities. Additionally, the report identifies specific command-and-control servers used by the group and notes their coordinated phishing tactics across multiple infrastructures.Threats: scarcruft_group asyncrat kimsuky_groupIndicators of compromise:-------------------------ip: 74[.]50[.]94[.]175:9992, 74[.]50[.]94[.]175:7628, 206[.]206[.]127[.]152:7628, 206[.]206[.]127[.]152:7032, 159[.]100[.]13[.]216, 206[.]206[.]127[.]152, 206[.]206[.]127[.]152:9027, 206[.]206[.]127[.]152:9002, 206[.]206[.]127[.]152:6105, 74[.]50[.]94[.]175, 74[.]50[.]94[.]47, 206[.]206[.]127[.]152:6606, 74[.]50[.]94[.]175:7032domain: duplikyservjc[.]cloud, thisduplikyservjc[.]cloud, system[.]duplikyservjc[.]cloud, olsiop[.]shop, acieodls[.]shop, domainolsiop[.]shop, classacieodls[.]shopurl: https://olsiop[.]shop/page?m=verify&token=cW9yd2tyZGlyMTIzQG5hdmVyLmNvbQ==&last=security, https://RRGrg3yur78ewgewFf@acieodls[.]shop/page/?m=verify&token=dXNvdXBwQG5hdmVyLmNvbQ==&last=securityhash: - sha256=aacb5aca178f6444a82bca1febb282a2859c5a43208ad1cdd39977dc3521f0f6, - sha256=811d221a1340e64aa1736d9d4e8f80820a5a02fab3d0c9e454f3ed35cd717b81, - sha256=5967513540ad610ddbbc124f2437cf58dd10341da7d8d016932e74c3241dfa2a, - sha256=47abd1682a88f7aadd3fe57583a7edba9cae2d7cf6632df19fbe687544dac632, - sha256=9af27198deefa87bb1d3868abb295f0136c18e74b5231772351c359ccd740323, - sha256=694af547d321771e69c48cf3c04411fc1de1b5d4a465815c54fff44d3d8da790, - sha256=68621690299e676b7562aca350a4ab87b898919c140b11bac7282d9c07d53838, - sha256=7a21d0e9793a4f115d395c6e99927d54840a75f9f5501d77eca52c2e35069006, - sha256=11afe5cc28666c39d3dc3e9d51f780e55ce57e29424861b94002fb3370474f7e, - sha256=268640934dd1f0cfe3a3653221858851a33cbf49a71adfb4d54a04641df11547, - sha256=9c9df2d90602c915005811aabf444653f55024080c61845029f75da758b27320, - sha256=f3aee5924279dd1883efbb04c89166368e954b7e81483507dc032561bb2cf6e1, - sha256=aaecb10ca453bec3bb95bedac6d773a593ea984509845eb7b15d8894d4b385ad, - sha256=ba52ab256079f80fdf9c47bf5fc215fed99ed1659c976ca692f4493e08e4b301, - sha256=dfeec1052063d6dc69cc6d23ca0cd262cd06899554f5ebd528d5d72935204bf2, - sha256=11ac6151182db3b41f9022b4e4b8a388e982f7fece3a34596bd84c11ec2a4ebd, - sha256=52b8e4da732d06000e29d7609668021be8cc99fccd9fb4a04f93f1c25d11bdd6, - sha256=f4c4f68f8b27279b00b718b02392d5dfe1766c342a189a51e0e2a6f6412e1ce0, - sha256=e6e3a8fb352641bb5b6f6db1479490d942852d77d9ca30b2f0931f28e2691983email: andreytony001@gmail[.]com, help@taylorswift[.]storeTitle: New Ransomware Operator Exploits Fortinet Vulnerability DuoLink: https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/Summary: The report introduces a new cyber threat actor named "Mora_001," associated with a series of ransomware attacks leveraging vulnerabilities in Fortinet devices, specifically CVE-2024-55591 and CVE-2025-24472, which allow unauthorized access to super_admin privileges. Mora_001 employs tactics reminiscent of the LockBit ransomware group while demonstrating unique operational patterns, such as using identical usernames across victim networks and overlapping IP addresses during various attack phases. The actor utilizes a modified ransomware strain called "SuperBlack," characterized by alterations to ransom note content and exfiltration techniques, as they move laterally to high-value targets. Their methods include exploiting TACACS+ or RADIUS configurations for credential access and implementing anti-forensic strategies to erase traces post-encryption, indicating a sophisticated approach to modern ransomware operations.Threats: mora_001_group superblack lockbit blackmatter wipeblack brain_cipher sensayq_ransomware estate_ransomware reborn_ransomwareIndicators of compromise:-------------------------ip: 80[.]66[.]88[.]90, 192[.]248[.]155[.]218, 89[.]248[.]192[.]55, 185[.]147[.]124[.]34, 94[.]154[.]35[.]208, 185[.]147[.]124[.]31, 96[.]31[.]67[.]39, 94[.]156[.]177[.]187, 170[.]130[.]55[.]164, 185[.]147[.]124[.]10, 109[.]248[.]160[.]118, 213[.]176[.]64[.]114, 57[.]69[.]19[.]70, 185[.]147[.]124[.]55, 176[.]53[.]147[.]5, 80[.]64[.]30[.]237, 193[.]143[.]1[.]65, 185[.]224[.]0[.]201, 5[.]181[.]171[.]133, 94[.]156[.]227[.]208, 95[.]217[.]78[.]122, 77[.]239[.]112[.]0, 185[.]95[.]159[.]43, 95[.]179[.]234[.]4, 217[.]144[.]189[.]35, 45[.]15[.]17[.]67domain: lockbitaptxxx[.]onionurl: hash: - sha256=c994b132b2a264b8cf1d47b2f432fe6bda631b994ec7dcddf5650113f4a5a404, - sha256=813ad8caa4dcbd814c1ee9ea28040d74338e79e76beae92bedc8a47b402dedc2, - sha256=782c3c463809cd818dadad736f076c36cdea01d8c4efed094d78661ba0a57045, - sha256=d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88, - md5=914685b69f2ac2ff61b6b0f1883a054d, - sha256=f383bca7e763b9a76e64489f1e2e54c44e1fd24094e9f3a28d4b45b5ec88b513, - sha256=917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Weekly Threat Intelligence Summary (RST Cloud Review)
## Overview
This summary synthesizes key findings from RST Cloud's weekly review of 66 threat intelligence reports, highlighting active threats across APT groups, ransomware operators, and supply chain compromises. The reports detail evolving Tactics, Techniques, and Procedures (TTPs) involving RMM tool abuse, zero-day exploitation, and collaboration between threat actors.
## Top Stories
### Blind Eagle: And Justice for All
- Summary: The APT group Blind Eagle (APT-C-36) targeted Colombian institutions using social engineering and exploited **CVE-2024-43451** for lateral movement. They employed **Remcos RAT** and **HeartCrypt** for obfuscation, distributing malware via file-sharing platforms, impacting over 1,600 judicial personnel in a recent campaign.
- Source: hxxps://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/
### Remote Monitoring and Management (RMM) Tooling Increasingly an Attackers First Choice
- Summary: Cybercriminals, notably **TA583** and **TA2725**, are increasingly using legitimate RMM tools (e.g., ScreenConnect, Atera) as initial payloads in email-based attacks, circumventing traditional malware infrastructures. This shift favors RMM tools for data exfiltration and lateral movement.
- Source: hxxps://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice
### Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
- Summary: The China-linked espionage group **UNC3886** infiltrated Juniper Networks' Junos OS routers using custom backdoors like **TINYSHELL**. These tools disabled logging mechanisms, focusing on end-of-life MX routers to maintain long-term, stealthy access through process injection and credential exploitation.
- Source: hxxps://cloud[.]google[.]com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/
---
## Key Points
- **RMM Tool Adoption:** A significant trend shows threat actors abusing legitimate RMM tools (ScreenConnect, Atera, etc.) delivered via email as a preferred initial access method.
- **Supply Chain Compromise:** Lazarus Group targeted the npm ecosystem with malicious packages designed to steal cryptocurrency wallet data using embedded BeaverTail malware.
- **Exploitation Focus:** New ransomware operator **Mora_001** is actively exploiting vulnerabilities in Fortinet devices (**CVE-2024-55591** and **CVE-2025-24472**) to gain `super_admin` privileges.
- **Malware Evolution:** EncryptHub is developing a custom RAT ("EncryptRAT") and using trojanized applications (QQ Talk, WeChat) for multi-stage data exfiltration targeting wallet credentials.
## Threat Actors
- **Blind Eagle (APT-C-36):** Targets Colombian institutions; uses social engineering and CVE-2024-43451.
- **Lazarus Group (North Korean):** Targeted software supply chains (npm) using BeaverTail malware via built-in loaders in fake packages.
- **UNC3886 (China-Nexus):** Espionage group focused on long-term access to Junos OS routers.
- **TA583 & TA2725:** Groups actively pivoting internal operations to leverage RMM tools.
- **EncryptHub:** Cybercriminal organization developing custom malware (EncryptRAT) and targeting sensitive user data.
- **Mora_001:** New ransomware operator showing tactics similar to LockBit, exploiting Fortinet devices.
- **APT37 (ScarCruft) & APT43:** Linked to the distribution of Android spyware **KoSpy**.
- **Konni:** North Korean group using LNK files and cloud services (Dropbox/Google Drive) for AsyncRAT distribution.
## TTPs
- **Vulnerability Exploitation:** CVE-2024-43451 (Blind Eagle), CVE-2024-55591 & CVE-2025-24472 (Mora_001).
- **Initial Access via Email:** Use of deceptive emails delivering RMM tools or LNK files (Konni).
- **Malware Delivery & Obfuscation:** Use of Remcos RAT with HeartCrypt obfuscation (Blind Eagle); PowerShell scripts within file metadata (Konni); embedding malware in trojanized legitimate software (EncryptHub).
- **Lateral Movement/C2:** Pass-the-hash technique (Blind Eagle); PowerShell and standard tools (Head Mare/Twelve); Process Injection (UNC3886); TACACS+/RADIUS exploitation for credentials (Mora_001).
- **Espionage:** Disabling logging mechanisms on network devices (UNC3886 using TINYSHELL).
- **Supply Chain Abuse:** Typosquatting against npm libraries to deploy BeaverTail.
## Affected Systems
- **Institutions:** Colombian judicial institutions (Blind Eagle).
- **Network Infrastructure:** Juniper Networks Junos OS routers (end-of-life MX series specifically targeted by UNC3886).
- **Healthcare Equipment:** Siemens syngo fastView DICOM viewers; Mindray Central Monitoring Station; GE Healthcare MUSE system (infection by Floxif/Pioneer, Panda Burning Incense, Botnets).
- **Developer Environments:** npm package ecosystem.
- **Mobile:** Android systems targeted by KoSpy spyware.
- **Network Hardware:** Fortinet devices targeted for admin privilege escalation.
## Mitigations
- **Patch Management:** Apply patches immediately for Fortinet vulnerabilities (CVE-2024-55591, CVE-2025-24472) and any disclosed vulnerabilities impacting network devices.
- **Endpoint Security:** Monitor for the execution of RMM tools (ScreenConnect, Atera) originating from atypical sources like email payloads.
- **Supply Chain Security:** Scrutinize third-party libraries, especially from public repositories like npm, for signs of typosquatting or suspicious package behavior.
- **Network Monitoring:** Focus detection efforts on unusual logging suppression or anomalies on Juniper routers, particularly older models.
- **Mobile Defense:** Maintain vigilance regarding third-party Android application installations to mitigate spyware like KoSpy.
- **Anti-Forensics Countermeasure:** Implement robust logging aggregation to counter actors attempting to erase local traces post-exploitation.
## Conclusion
Threat actors are demonstrating high adaptability, leveraging legitimate remote management services to maintain persistence and deploying sophisticated malware chains against high-value infrastructure (healthcare, judicial, networking hardware). Patching critical vulnerabilities and strictly monitoring for the misuse of trusted tools remain the highest priorities. Overlap between North Korean threat actor infrastructure (APT37/APT43) suggests dynamic coordination in espionage and reconnaissance efforts.