ALERTS 2025 JANUARY  HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY

2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(0) November(0) December(0)  2025 January(36) February(50) March(51)

DATE

NAME

CATEGORY

SUBCATE

INFO

31.1.25 SparkRAT - a cross-platform modular malware ALERTS VIRUS SparkRAT is a Golang-based modular malware variant initially discovered back in 2022. With its cross-platform support it targets various architectures including Windows, macOS, and Linux. The malware was used in various targeted cyber espionage operations just last year.
31.1.25 Windows Locker ransomware ALERTS RANSOM A new variant of the Windows Locker ransomware has been identified in the wild. The malware encrypts user data and appends .winlocker extension to the locked files. A ransom request is dropped in form of a text file "Readme.txt" with information on how to contact the threat actors and on how to pay the ransom demands. Windows Locker ransomware has the functionality to maintain persistence, disable firewall and task manager as well as to delete backups and volume shadow copies on the compromised machine.
29.1.25 Aquabot v3 - a new Mirai variant in the field ALERTS BOTNET A new Mirai malware variant dubbed Aquabot v3 has been observed in the wild. The malware has been reported to exploit CVE-2024-41710 which is a command injection vulnerability affecting various Mitel devices. The malware is also able to exploit some older vulnerabilities affecting Hadoop YARN or various Linksys devices. Aquabot v3 supports a wide range of architectures including x86 and ARM. Functionality-wise the malware is predominately used for initiating DDoS attacks from the compromised devices.
29.1.25 Recent activities of the GamaCopy threat group ALERTS GROUP A new malicious activity attributed to the GamaCopy threat group has been reported in the wild. The TTPs utilized by the group share certain degree of overlap with another APT called Core Werewolf and the discovered activity mimics some of the older attacks conducted by the Shuckworm (aka Gamaredon) APT. The attackers leverage self-extracting (SFX) archive files to deliver decoy .PDF documents alongside of UltraVNC remote desktop tool used for remote access to the compromised endpoints.
29.1.25 TorNet backdoor ALERTS VIRUS TorNet is a new backdoor variant spread within an ongoing malicious campaign targeting prevalently Germany and Poland. The threat actors responsible have also been distributing various other malware payloads including Agent Tesla and Snake Keylogger. According to the recent Cisco Talos report, the attack chain leverages phishing emails disguised as correspondence from financial institutions and manufacturing or logistics companies.
28.1.25 New Lumma Stealer campaign using fake Captchas ALERTS VIRUS A new malware campaign that leverages fake CAPTCHA verification checks to deliver Lumma Stealer has been observed. This campaign has targeted victims from around the world (Argentina, Colombia, U.S., Philippines etc.) and across various industries (such as financial institutions, healthcare, marketing and telecom organizations).
27.1.25 GTA VI Hype Exploited: Malware Masquerades as Early Alpha Access ALERTS EXPLOIT The hype surrounding popular games often becomes a breeding ground for cybercrime, and Grand Theft Auto VI is no exception. A highly anticipated next installment in Rockstar Games' iconic open-world action-adventure series. Officially announced in December 2023, the game is set to release in late 2025 for PlayStation and Xbox.
27.1.25 Phishing Campaign Targets Workplace Anxiety: Email Credentials at Risk ALERTS PHISHING A recent phishing campaign leverages workplace fears and urgency in an attempt to steal email credentials. The attack begins with an email titled "Employment Termination lists and new admin position 2025" and an attached malicious HTML file (Staff Employment Termination listsPDF.html) disguised as an important workplace document. When opened, the attachment displays a fake login page, crafted to resemble a legitimate email login portal.
24.1.25 CVE-2024-50603 - Aviatrix Controller RCE vulnerability exploited in the wild ALERTS VULNEREBILITY CVE-2024-50603 is a critical (CVSS score 10.0) remote code execution vulnerability affecting Aviatrix Controller which has been recently reported as being exploited in the wild. The flaw results due to improper neutralization of user-supplied input and if exploited might allow remote unauthenticated attackers with arbitrary code execution. Product vendor has already addressed this vulnerability in patched versions 7.1.4191 and 7.2.4996. 
24.1.25 PhaaS kit Sneaky 2FA ALERTS PHISHING Phishing-as-a-service (PhaaS) kit dubbed Sneaky 2FA has been observed targeting Microsoft 365 accounts by sending payment type related emails luring recipients into opening fake receipt PDFs containing a QR code that upon scanning redirects to a Sneaky 2FA phishing page. The phishing pages are hosted on a compromised infrastructure, primarily involving WordPress websites and other domains controlled by the Threat Actor. The bogus authentication page(s) are designed to automatically populate the victim's email address to elevate their appearance of legitimacy.
24.1.25 LucKY Gh0$t Ransomware ALERTS RANSOM A ransomware actor operating under the name LucKY Gh0$t has been observed in the threat landscape. The ransomware they employ is a Chaos variant that appends encrypted files with a .[4 random characters] extension. This threat is being spread via drive-by downloads, disguised as a fake ChatGPT desktop version ("ChatGPT 4.0 Full Version - Premium.zip").
23.1.25 Murdoc botnet, a Mirai variant ALERTS BOTNET A new Mirai variant dubbed Murdoc botnet has been discovered in a recently observed campaign. The campaign leverages ELF binaries and shell scripts to target various *nix based systems, such as IoT devices and IP cameras, among others. The shell scripts are deployed to the devices to download and execute the Murdoc botnet payloads from the C2 servers.
22.1.25 Groups targeting users with Email bombing and vishing campaigns ALERTS GROUP Researchers have discovered two groups behind malware campaigns involving email-bombing, Microsoft Teams communication, and remote-control tools. These attacks begin with targeted email-bombing campaigns and continue with the attackers contacting the victims via Teams, posing as IT staff. They then tell the victim they can resolve the recent spam issue by using the Teams screen-sharing option or "Quick Assist." Once remote access is established the groups diverge in tactics, one utilizes Java/Python threats to further the infection, while the other employs side-loading DLLs.
22.1.25 Nnice Ransomware ALERTS RANSOM Nnice is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends “.xdddd” extension to the encrypted files. Beside dropping the ransom note in form of a “Readme.txt" text file, the ransomware also changes the desktop wallpaper to indicate that the user files have been encrypted and ransom is demanded from the victim.
22.1.25 Silent Lynx: New cyber threat group targeting government and financial entities in Kyrgyzstan ALERTS GROUP A new threat group dubbed Silent Lynx has been discovered targeting organizations in Kyrgyzstan and neighboring countries. The group employs a range of techniques such as malicious email attachments, decoy documents and persistence mechanisms to maintain access to compromised systems. Silent Lynx uses sophisticated multi-stage attack methods including ISO files, C++ loaders, PowerShell scripts and Golang implants, primarily targeting government entities, banks and diplomatic operations while leveraging UN-themed lures and employee bonus schemes to deceive victims. For command and control and data exfiltration, Silent Lynx relies on Telegram bots. 
21.1.25 MintsLoader campaign targets energy sector with StealC and BOINC malware ALERTS VIRUS MintsLoader is a sophisticated malware loader that employs advanced techniques to evade detection and enhance its operational effectiveness. Impacted sectors include Electricity, Gas and Oil industries as well as Law firms and Legal service industries all within the U.S. and Europe. The infection process begins when a victim clicks on a link in a phishing email, triggering the download of malicious JScript files, leading to the deployment of secondary payloads like StealC and the Berkeley Open Infrastructure for Network Computing (BOINC) client. The combination of these payloads allows for the consumption of sensitive data from browsers, applications, crypto-wallets, and then the exfiltration to C2 server.
21.1.25 New Tanzeem Android Malware courtesy of DoNot Team ALERTS VIRUS Threat actor APT group known as DoNot Team has been linked to a new Tanzeem Android malware. This malicious Android app primarily uses OneSignal which is a popular customer engagement platform used by organizations to send push notifications, emails, in-app messages, and SMS messages. Once installed the malicious app displays a fake chat screen prompting the victim to click a button named "Start Chat". Doing so triggers a message that instructs the victim to grant permissions to the accessibility services API, thus allowing it to perform various nefarious actions. This further access facilitates the collection of added sensitive information such as call logs, contacts, SMS messages, precise locations, account information, and files present in external storage. Some of the other features include capturing screen recordings and establishing connections to C2 server. 
21.1.25 Redtail Cryptocurrency Mining Malware ALERTS CRYPTOCURRENCY Redtail is an adaptable malware that stealthily installs itself on compromised systems utilizing advanced tactics to persist and exploit systems for unauthorized cryptocurrency mining. It is capable of running on various CPU architectures by utilizing two extra scripts: one script identifies the CPU architecture of the victim system ensuring compatibility for the malware, and a second script removes any other competing crypto-mining software that may already exist on the compromised system. This dual approach tactic maintains persistence and works towards evading detection.

20.1.25

 PNGPlug loader leveraged for ValleyRAT distribution ALERTS VIRUS A new ValleyRAT malware distribution campaign has been reported in the wild. The attackers leverage a new multi-stage loader dubbed PNGPlug within the observed attack chain. The deployed ValleyRAT payload has the functionality for deployed shellcode execution, download of additional arbitrary components, etc. This campaign has been attributed to the Silver Fox APT group and observed to be targeting various companies in several Chinese-speaking regions.

20.1.25

 AIRASHI - a large scale DDoS botnet ALERTS BOTNET Airashi is a variant of the Aisiru botnet observed in the wild last year. The botnet is known to be spread via exposed vulnerabilities as well as through exploitation of weak Telnet credentials. Airashi can be used by attackers to conduct a wide variety of DDoS attacks. Several strains of the botnet binaries also support additional functionalities such as command execution or proxy services.

18.1.25

 Threat actors reusing legitimate government documents to deliver malware ALERTS VIRUS A malware campaign has been linked to nation state actors targeting countries in Central Asia for information gathering. The attacks utilizes legitimate government documents to deliver the malware.

18.1.25

 CVE-2024-55591 - Fortinet FortiOS Authorization Bypass vulnerability ALERTS VULNEREBILITY CVE-2024-55591 is a recently discovered authorization bypass vulnerability affecting Fortinet FortiOS and FortiProxy products. Successful exploitation of the flaw could allow remote attackers to obtain super-admin privileges on the vulnerable devices via crafted requests to Node.js websocket module.

18.1.25

 CVE-2024-12686 - BeyondTrust vulnerability exploited in the wild ALERTS VULNEREBILITY CVE-2024-12686 is a recently disclosed OS command injection vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products.

18.1.25

 Recent malicious activities of the Fireant APT group ALERTS APT Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor.

18.1.25

 Ottercookie observed being used by nation states to steal crypto currency ALERTS CRYPTOCURRENCY OtterCookie, an infostealer designed to steal crypto currency information, has recently been observed in use by nation state actors.

18.1.25

 LDAP vulnerability PoC is actually just an infostealer ALERTS VULNEREBILITY CVE-2024-49113 is a vulnerability affecting Microsoft Windows Lightweight Directory Access Protocol (LDAP) which was patched in December. In a recent campaign, attackers have been observed distributing infostealer malware disguised as proof-of-concept (PoC) code for this vulnerability. The fake PoC leverages dropped/downloaded scripts to exfiltrate system information via FTP.

10.1.25

 CVE-2024-55550 - Mitel MiCollab Path Traversal vulnerability ALERTS VULNEREBILITY VE-2024-55550 is a newly disclosed path traversal vulnerability affecting Mitel MiCollab collaboration tool versions 9.8 SP1 FP2 and earlier.

10.1.25

 New variant of Banshee Stealer targets macOS users ALERTS VIRUS A new and updated variant of the macOS-based infostealer malware dubbed Banshee Stealer has been detected in the wild.

10.1.25

 Funksec Ransomware ALERTS RANSOM Funksec (aka Funklocker) is another double-extortion ransomware actor that surfaced in late 2024 and allegedly claimed multiple organizations as victims.

10.1.25

 Latest HexaLocker ransomware attacks leverage Skuld Stealer for data extraction ALERTS RANSOM A new updated variant of the Go-based HexaLocker ransomware has been discovered in the wild. The new strain has the functionality to download infostealer malware called Skuld Stealer, in an effort focused on extraction of confidential data from the infected endpoint.

10.1.25

 CVE-2025-0282 - Ivanti Connect Secure vulnerability exploited in zero-day attacks ALERTS VULNEREBILITY CVE-2025-0282 is a newly disclosed critical (CVSS score 9.0) stack-based buffer overflow vulnerability affecting Ivanti Connect Secure. If successfully exploited, it could allow unauthenticated attackers to execute arbitrary code on the vulnerable instances.

10.1.25

 Old Oracle WebLogic Deserialization vulnerability (CVE-2020-2883) exploited in the wild ALERTS VULNEREBILITY CVE-2020-2883 is a 2020 deserialization vulnerability affecting unpatched Oracle WebLogic servers. If successfully exploited, it could allow remote code execution by unauthenticated attackers via specially crafted T3 port network requests.

10.1.25

 XWorm Middle East Campaign: Fake Mossad Intelligence Reports Used as Lures ALERTS VIRUS As tensions in the Middle East remain high, particularly following recent events in Syria, threat actors are exploiting the volatile situation to target organizations and individuals both within the region and globally, leveraging the allure of sensitive intelligence to entice victims.

10.1.25

 FireScam mobile malware ALERTS VIRUS FireScam is a mobile malware variant recently discovered in the wild. The malware is distributed via a phishing website and under the disguise of Telegram Premium app.

10.1.25

 KGB Keylogger Targets Companies with Fake Russian Ministry-Themed Emails ALERTS VIRUS During the second half of December 2024, an actor has been targeting companies with malicious emails enticing users with a Ministry of Industry and Trade of the Russian Federation (Минпромторг России) social engineering ploy along with the use of a malicious .scr file (Письмо в МНТЦ и ЦРП.scr).

3.1.25

 Nitrogen Ransomware ALERTS RANSOM The double-extortion ransomware group known as Nitrogen has been very active over the past four months, targeting organizations across diverse sectors such as construction, financial services, manufacturing, and technology.