ALERTS 2025 FEBRUARY HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(0) November(0) December(0) 2025 January(36) February(50) March(51)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
27.2.25 | Yodobashi Camera users targeted with a new phish wave | PHISHING | In Japan, Yodobashi Camera Co., Ltd is a major retail chain that sells electronics, PCs, cameras and photographic equipment. Recently, Symantec has observed a new wave of phish runs spoofing Yodobashi Camera services. The email content mentions that the customer information has been changed and entices the users to click on the phishing URL to confirm the change. | |
27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | APT | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. | |
27.2.25 | LightSpy: A new multi-platform Spyware variant targeting social media | VIRUS | A multi-platform variant of the LightSpy spyware with an expanded list of command functionalities has been reported. It has shifted its focus from messaging apps to extracting data from social media platforms such as Facebook and Instagram including messages, contacts and account metadata. | |
27.2.25 | Updated TgToxic Android malware | VIRUS | TgToxic is an infostealing malware that was first spread via phishing sites and compromised social media accounts. This new version of the TgToxic malware can be delivered though a single malicious SMS text. | |
27.2.25 | New Snake Keylogger variant | VIRUS | A new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users has been observed. Snake Keylogger typically spreads via phishing emails containing a malicious attachment or URL. It targets popular web browsers (such as Chrome, Edge, Firefox etc.) monitoring/logging keystrokes. | |
27.2.25 | Threat actors spoof Sagawa Express services to steal credentials | OPERATION | Symantec has identified a new wave of phishing attacks that impersonate Sagawa Express services to steal credentials. In this campaign, phishing emails are disguised as delivery notifications requesting an immediate update of the delivery address. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | |
27.2.25 | FatalRAT malware distributed via Operation SalmonSlalom | VIRUS | Operation SalmonSlalom is a new malicious campaign targeted at industrial organizations in the Asia-Pacific (APAC) region. The attackers have been leveraging various first and second stage loaders leading up to the infection with FatalRAT final payload. | |
26.2.25 | Fake DeepSeek websites lead to malware infections | VIRUS | A number of DeepSeek-themed malware campaigns has been reported in the wild lately. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. The attackers have been leveraging the growing popularity of the DeepSeek brand by creating a large number of fake DeepSeek websites and look-alike domains used to serve malicious payloads. | |
26.2.25 | New Phishing Campaign Targets ANA Mileage Club Users | CAMPAIGN |
Symantec has detected a phishing campaign targeting Japanese
users with fake All Nippon Airways (ANA) emails. The emails use the subject
line:「ANAマイレージクラブ 重要なお知らせ - 事後登録手続きのお願い」 (Translated: "ANA Mileage Club Important Notice - Request for Retroactive Registration Procedure") |
|
26.2.25 | Ghostwriter malicious campaign | CAMPAIGN | Ghostwriter is a malicious campaign attributed to UNC1151 (UAC-0057) threat group. The campaign is believed to be actively running since at least 2016 with the latest iterations observed around November-December 2024. The campaign has been reported to target military and government organizations in Ukraine as well as activists in Belarus. The attackers are known to leverage Excel documents containing malicious VBA macros to initialize the attack. Later infection stages lead to execution of a downloader malware called PicassoDownloader, which has been already used in older campaigns linked to the same threat actors. | |
20.2.2025 | Phishing campaign disguises as ChatGPT Subscription | ALERTS | PHISHING | In a recent phishing campaign observed by Symantec, emails disguised as "monthly subscription" notifications are being sent to targeted recipients. The subject lines are often including keywords like "action required" or "Reminder" a common tactic to lure the recipient to open the email. The body of the email is claiming a $24 monthly subscription fee is required to access ChatGPT's premium features. To complete the payment, recipients are being prompted to click on a phishing URL designed to steal their credentials. |
20.2.2025 | Core Ransomware - a new Makop variant | ALERTS | RANSOM | Core ransomware is a new Makop malware variant recently found in the wild. The ransomware encrypts user files and appends .core extension to them. Victim's unique ID and developers' email address is also appended to the extension. The malware drops ransom note in form of a text file called "README-WARNING.txt". Core has also capability to delete volume shadow copies and backup data on the infected endpoints as well as functionality to modify registry entries to ensure its persistence on the machine. |
20.2.2025 | Ghost (aka Cring) Ransomware | ALERTS | RANSOM | Symantec Security Response is aware of the recent joint alert from CISA, FBI and MS-ISAC concerning a number of recent campaigns distributing the Ghost (aka Cring) ransomware. The attackers behind this ransomware family are known to leverage exploitation of publicly disclosed vulnerabilities in an effort to access internet facing vulnerable servers. Some of the exploited vulnerabilities include but are not limited to: CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. |
20.2.2025 | XingCode disguised malware exhibits XWorm characteristics | ALERTS | VIRUS | Recently, malware samples were discovered disguised as XingCode software executables. XingCode is an anti-cheat software commonly used in online games to prevent cheating, hacking and unauthorized third-party tools. These malicious files contain embedded PowerShell scripts used to deobfuscate data. The files exhibit characteristics of XWorm malware with capabilities such as system manipulation, data exfiltration and keylogging designed to create persistence and evade detection. |
20.2.2025 | Rhadamanthys Infostealer campaign exploits MSC files and Console Taskpad | ALERTS | VIRUS | Since mid-2024, there has been an increase in the distribution of MSC malware with campaigns observed exploiting the CVE-2024-43572 Microsoft Windows Management Console remote code execution (RCE) vulnerability. A campaign distributing the Rhadamanthys Infostealer has been observed with the malware disguised as MSC files. The newly identified MSC file belongs to the variant that executes the "command" command via Console Taskpad. |
20.2.2025 | Nigerian threat actor distributes XLogger malware | ALERTS | VIRUS | A malware campaign by a Nigerian threat actor has been observed distributing XLogger malware. The campaign begins with harvesting email addresses using Google dorking techniques and setting up spoofed domains with bulletproof hosting. Users are lured through phishing emails crafted with ChatGPT containing RAR attachments with executable files. Upon execution, a PowerShell script decrypts the malware payload which then exfiltrates stolen data to a Telegram channel. |
19.2.2025 | ALERTS | VIRUS | In a recent report published by Palo Alto Networks, links to a variant of Bookworm malware were uncovered based on activity of the Fireant (aka Stately Taurus) group impacting Southeast Asian countries. Per the report, Bookworm is a modular Trojan first observed in 2015, with no previous group attribution. Original Bookworm malware leveraged DLL sideloading to decrypt and launch attacker shellcode. In more recent variants, the shellcode is formatted as UUID strings, which is then decoded into binary data and launched via legitimate API functions, discarding the use of sideloading altogether. | |
19.2.2025 | ACR Stealer malware leverages Dead Drop Resolver (DDR) technique | ALERTS | VIRUS | ACR Stealer is a C++based infostealing malware variant discovered initially in early 2024. The malware is known to be advertised for sale in the form of a Malware-as-a-Service (MaaS) offering. ACR Stealer is believed to be an updated variant of on older infostealer called GrMsk Stealer. Functionality-wise the malware targets collection and exfiltration of miscellaneous sensitive data including system information, credentials, browser cookies, configuration files of 3rd party apps, cryptocurrency wallets, etc. |
18.2.2025 | Recent RedCurl (aka EarthKapre) APT activity | ALERTS | APT | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. Upon execution/mounting of the .img file, a malicious .dll binary is sideloaded onto the compromised endpoint. After successful infection, the threat actors have been observed to execute SysInternals Active Directory Explorer (AD Explorer) tool for data collection and later to utilize Cloudflare Workers infrastructure for C2 purposes. |
17.2.2025 | CipherLocker Ransomware | ALERTS | RANSOM | CipherLocker is a new ransomware variant identified in the wild. The malware encrypts user data and appends .clocker extension to the locked files. The ransom note is dropped in form of a text files called "README.txt" and contains instructions for the victims including attackers' email contact details. CipherLocker has the capability to delete both Volume Shadow copies and the backup files on the infected endpoints. |
14.2.2025 | Zhong Stealer malware spread via social engineering | ALERTS | VIRUS | Zhong Stealer is a malware variant recently spread in a distribution campaign targeting fintech and cryptocurrency sectors. The attackers have been leveraging chat platforms to open tickets with various support teams and supplying .zip archives with malicious binaries to unsuspecting support staff. One of the payloads distributed this way was Zhong Stealer which is used by the threat actors to collect and exfiltrate confidential data such as credentials from the infected endpoints. |
14.2.2025 | Vgod Ransomware | ALERTS | RANSOM | Vgod is a new ransomware variant recently identified in the wild. Upon file encryption the malware appends .vgod extension to the encrypted files. The ransom note is dropped in form of a text file called “Decryption Instructions.txt” with the attackers asking the victims to contact them for decryption instructions. Vgod ransomware also changes the desktop wallpaper on the infected machine to indicate to the victim that the files have been encrypted. |
14.2.2025 | Lynx Ransomware, established in 2024 | ALERTS | RANSOM | Lynx ransomware was first observed in mid-2024 and is believed to be a successor of INC ransomware, according to a recent report by Fortinet. Lynx has been observed targeting Windows systems across multiple industries around the world. Per the report, The United States has seen the majority of victims while Canada and the United Kingdom are a distant second. Manufacturing and construction industries make up almost half of the victims. |
14.2.2025 | Xelera Ransomware | ALERTS | RANSOM | Xelera is a Python-based ransomware variant recently distributed in campaigns targeting potential job applicants to Food Corporations of India (FCI), which is a public sector company. The attackers leverage fake job description/notification documents to lure the potential victims. The campaign spreads PyInstaller executables containing both a Discord bot and ransomware components. The dropped Discord bot is used among others for privilege escalation, system information exfiltration, locking down the system as well as theft of credentials stored in web browsers. Alongside the Xelera ransomware components deployment, the attackers also utilize a MEMZ tool which is a MBR corruption utility. |
13.2.2025 | DEEP#DRIVE attack campaign | ALERTS | CAMPAIGN | DEEP#DRIVE is a recently discovered malicious campaign targeting enterprises, government entities and cryptocurrency users from South Korea. The attackers leverage phishing emails containing zip archives with shortcut .lnk files disguised as legitimate documents (in PDF, HWP or MS Office formats). Further attacks stages rely on PowerShell scripts execution, establishing persistence on the targeted endpoints as well as download of Dropbox-hosted payloads. |
13.2.2025 | RevivalStone malware campaign deploys new Winnti variant | ALERTS | VIRUS | A malware campaign dubbed RevivalStone has been identified targeting Japanese organizations in the manufacturing and energy sectors. The campaign is attributed to the China-linked APT group APT41 which is deploying a new variant of the infamous Winnti malware. The attack vector begins with the exploitation of SQL injection vulnerabilities in web-facing ERP systems allowing attackers to deploy web shells and gain initial access. Once inside the network, the threat actors deploy an updated version of Winnti malware which includes a rootkit for maintaining persistence and encrypted communication channels to avoid detection. |
13.2.2025 | Destiny Stealer | ALERTS | VIRUS | There is no shortage of stealers in the threat landscape, and Destiny Stealer is a new one being advertised with Symantec observing testing activities. This malware is a run-of-the-mill infostealer designed to harvest login credentials from web browsers and applications, exfiltrate specific file types like documents and images, and steal FTP credentials. Like many other stealers, it also targets cryptocurrency wallets such as Exodus, Blockchain.com, Binance, and MetaMask. Additionally, it gathers system information, monitors clipboard activity for sensitive data. Destiny Stealer follows the typical playbook of modern infostealers, incorporating generic anti-detection mechanisms. |
13.2.2025 | Phishing campaigns target Ukraine's banking sector with SmokeLoader malware | ALERTS | PHISHING | Phishing campaigns specifically targeting Ukraine's automotive and banking sectors using SmokeLoader malware have been observed in the wild. One such campaign targets customers of PrivatBank, Ukraine’s largest state-owned bank. Users are lured with financial-themed documents such as fabricated invoices and account statements to increase interaction and compromise systems. The campaign leverages password-protected archives containing malicious JavaScript, VBScript and LNK files to evade detection. SmokeLoader malware is deployed via process injection and PowerShell execution with the goal of stealing credentials and financial data while maintaining persistent access to compromised systems. |
13.2.2025 | Library-ms files seen abused in recent malspam campaign | ALERTS | SPAM | Symantec has recently observed a malspam campaign utilizing library-ms attached files. Library-ms files allow users to view contents of multiple directories within a single file explorer view. Through the creation of legitimate local file explorer windows that utilize remote WebDAV servers threat actors serve malicious LNK files to unsuspecting victims. Once executed it allows further infection with additional malware of the attackers choice. |
12.2.2025 | CVE-2024-20767 - Path Traversal Vulnerability in Adobe ColdFusion | ALERTS | VULNEREBILITY | In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Adobe ColdFusion vulnerability CVE-2024-20767 to its Known Exploited Vulnerabilities (KEV) catalog. This "Path Traversal" flaw allows an attacker to bypass pathname restrictions, potentially leading to arbitrary file system reads. The vulnerability, with a CVSS score of 7.4, affects ColdFusion versions 2023.6, 2021.12 and earlier and requires an exposed admin panel for exploitation. Experts have noted the availability of a proof-of-concept (PoC) exploit code. Adobe has since released out-of-band security updates to mitigate this critical issue. |
12.2.2025 | FINALDRAFT malware discovered in REF7707 campaign | ALERTS | VIRUS | A new malware variant named FINALDRAFT has been discovered as part of the REF7707 campaign targeting the Foreign Ministry of a South American nation. The malware exists in both Windows and Linux variants and leverages Microsoft’s Graph API service for command and control operations. Additionally, the campaign utilizes PATHLOADER and GUIDLOADER malware to download and execute encrypted shellcodes directly in memory. |
11.2.2025 | China-linked espionage tools used in ransomware attacks | ALERTS | RANSOM | Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company. During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity. |
11.2.2025 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | ALERTS | APT | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. This new variant utilizes various LOLbin binaries as one of the defence evasion measures. The final payload spread in this campaign belongs to the Dark Crystal RAT (DcRAT) malware family and can be used by the threat actors for cyber espionage and sensitive data exfiltration. |
11.2.2025 | Cryptocurrency mining malware distributed via USB | ALERTS | CRYPTOCURRENCY | Cryptocurrency mining malware has spread to victims through USB propagation in South Korea. In addition to infection persistence through USB, further characteristics that maximize infection via system settings modifications, and security bypass techniques have been observed. In particular the CoinMiner malware employs techniques such as C2 server communications, DLL sideloading for execution bypass, detection evasion via Windows Defender exception settings, and disabling of hibernation status for optimum mining performance. |
10.2.2025 | China-Linked threat actors target IIS servers with BadIIS malware | ALERTS | VIRUS | According to reports from Trend Micro, threat actors have been observed targeting Internet Information Services (IIS) servers as part of an SEO manipulation campaign designed to deploy BadIIS malware. The campaign believed to be linked to China-based threat actors specifically targets servers in Asia. As part of the attack users are redirected to illegal gambling websites or rogue servers hosting malware or credential-harvesting pages with the ultimate goal of financial gain. |
10.2.2025 | Astral Stealer malware | ALERTS | VIRUS | Astral Stealer is an infostealing malware advertised as a fork of older malware strains dubbed Hazard Grabber and Wasp Stealer. Astral Stealer is used to collect and exfiltrate a wide variety of sensitive information including system information, credentials, banking related data, web browser data, cookies, clipboard content, cryptocurrency wallets, 3rd party app data, files, tokens and others. The malware has the capabilities for antivirus evasion, VM/sandbox environment detection as well as some persistence mechanisms. The exfiltration of the collected data might happen over the attacker-controlled command and control channels or via webhooks. |
10.2.2025 | SapphireRAT malware | ALERTS | VIRUS | A new phishing campaign has been observed targeting Latin American organizations using fake judicial late fee receipts to distribute SapphireRAT malware. The threat actor provides detailed instructions on how to review and sign the relevant document attempting to add legitimacy to the email. However, these instructions include a URL that redirects the recipient to a malicious domain. This domain is specifically designed to host and deliver the SapphireRAT malware, furthering the attacker's objective of compromising the recipient's system. |
10.2.2025 | FinStealer mobile banking malware | ALERTS | VIRUS | A new mobile malware variant dubbed FinStealer has been identified in the wild. Spread via phishing campaigns or unofficial mobile app repositories, the malware binaries are disguised as mobile apps impersonating legitimate banking institutions. FinStealer will extract various banking information, credentials, credit card numbers and other PII (Personally Identifiable Information) from the victims. The malware is coded in Kotlin which is a cross-platform high-level programming language compatible with Java. The attackers extract the collected data via Telegram bots as well as via controlled C&C infrastructure. |
10.2.2025 | SparkCat: Cross-Platform malware targets Crypto Wallets via OCR on Android and iOS. | ALERTS | VIRUS | A new malware campaign dubbed SparkCat has been discovered targeting both Android and iOS users through official and unofficial app stores, affecting users across Europe and Asia. The malware employs OCR technology to scan users' image galleries for cryptocurrency wallet recovery phrases. It leverages Google’s ML Kit for OCR and communicates with command-and-control (C2) servers using a custom Rust-based protocol. |
07.2.2025 | Old Telerik UI RCE vulnerability leveraged for JuicyPotatoNG distribution | ALERTS | VULNEREBILITY | The exploitation of an almost six-year-old Telerik UI RCE vulnerability (CVE-2019-18935) has been observed recently in the wild. The flaw is a .NET JSON deserialization vulnerability affecting Telerik UI for ASP.NET AJAX, that if successfully exploited could allow for a remote code execution. The attackers have been targeting vulnerable web servers in an effort to deliver malicious reverse shells alongside of the JuicyPotatoNG privilege escalation tool. The attacker efforts aim at reconnaissance of potential victims and information collection about the targeted environments. |
07.2.2025 | FleshStealer malware | ALERTS | VIRUS | FleshStealer is a new infostealer variant recently identified in the wild. The malware targets Chromium-based web browsers for information extraction (including passwords, cookies, etc.). Other infostealing functionalities allow this malware to perform cryptowallet theft as well as exfiltration of two-factor authentication (2FA) passwords or Wifi network credentials. FleshStealer features advanced encryption mechanisms as well as detection capabilities for the presence of debugging tools or VM environments. Sale of this malware has been promoted by threat actors via Telegram and Discord platforms. |
07.2.2025 | Infostealers targeting macOS on the rise | ALERTS | VIRUS | A recent report from Unit42 by Palo Alto Networks highlights a surge in activity related to infostealers on macOS. The report identifies three particular malware families, Atomic Stealer, Cthulhu Stealer, and Poseidon Stealer, as some of the most prevalent examples. These three families are sold as malware as a service. |
07.2.2025 | CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine | ALERTS | VULNEREBILITY | According to recent report from Trend Micro, a zero-day vulnerability in 7-Zip identified as CVE-2025-0411 has been exploited in a cyberespionage campaign targeting Ukrainian organizations. This vulnerability allows attackers to bypass Windows Mark-of-the-Web protections by double-archiving files thereby evading essential security checks and enabling the execution of malicious content. Russian-linked threat actor groups have actively leveraged this flaw through spear-phishing campaigns using homoglyph attacks to spoof document extensions and trick users into executing the malicious files. |
06.2.2025 | North Korean hackers deploy FlexibleFerret malware to target macOS developers | ALERTS | VIRUS | A newly discovered malware strain dubbed FlexibleFerret has been identified as part of an ongoing North Korean Contagious Interview campaign. In this attack Threat Actors trick victims into installing malware disguised as meeting software updates like VCam or Chrome through the job interview process. Unlike other variants of the macOS malware family, FlexibleFerret was signed with a valid Apple Developer signature and Team ID, and contains other elements that make it appear to be legitimate software. This appearance of legitimacy lends to establish persistence, enabling remote access and leading to cryptocurrency theft. |
05.2.2025 | MMS phishing campaign targeting users with fake shipping PDFs | ALERTS | PHISHING | A phishing campaign has been recently reporting targeting users with MMS messages with attached PDFs. The messages attempt spoof popular delivery services in order to convince victims to open the attached PDF. When opened the victim is prompted with a screen requesting they 'unlock' the file visiting by visiting a malicious page controlled by the attackers and entering their credentials. |
05.2.2025 | CVE-2024-52875 - KerioControl CRLF injection vulnerability | ALERTS | VULNEREBILITY | CVE-2024-52875 is a recently discovered critical CRLF injection vulnerability affecting GFI KerioControl network security solution in versions 9.2.5 through 9.4.5. Successful exploitation of this flaw might allow attackers to inject malicious JavaScript code and lead to CSRF token theft and arbitrary code execution within the context of the vulnerable application. According to recently published reports, the vulnerability has been actively exploited in the wild. The product vendor already released a patch version "9.4.5 Patch 1" to address this vulnerability. |
05.2.2025 | CVE-2023-48365 - Qlik Sense HTTP Tunneling vulnerability reported as exploited in the wild | ALERTS | VULNEREBILITY | CVE-2023-48365 is a bypass vulnerability to the original fix for an older flaw CVE-2023-41265 in Qlik Sense Enterprise product. The vulnerability might allow unauthenticated attackers to perform remote code execution even after applying the patches for CVE-2023-41265 and CVE-2023-41266 flaws. The product vendor has already released a new patch addressing this bypass by an updated filtering mechanism which is less prone to HTTP request tunneling attacks. This vulnerability has been just recently added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. |
04.2.2025 | CVE-2024-57727 - SimpleHelp Directory Traversal vulnerability | ALERTS | VULNEREBILITY | CVE-2024-57727 is a high severity (CVSS score 7.5) directory traversal vulnerability affecting SimpleHelp remote support software in version 5.5.7 or older. If successfully exploited the flaw might allow unauthenticated attackers to download arbitrary files from the SimpleHelp servers, including configuration files containing hashed passwords for the SimpleHelpAdmin account or other accounts. |
03.2.2025 | Attack Campaign targets Brazilian financial sector with Coyote Banking Trojan | ALERTS | VIRUS | A multi-stage attack campaign leveraging LNK files to deploy the Coyote Banking Trojan has been reported, primarily targeting Brazilian financial applications. As part of the attack vector the malware uses PowerShell commands, shellcode injection and registry modifications to maintain persistence and evade detection. The malware has capabilities such as keylogging, screenshot capture and displaying phishing overlays. It monitors user activity, steals sensitive data from targeted websites and exfiltrates it to the attacker's C2 servers. |