October 2025 Infostealer Trend Report - ASEC

A new report by AhnLab SEcurity intelligence Center on Infostealer malware shows that the malware is being distributed using a strategy called SEO poisoning, while other threat actors are using crack disguising techniques.

Pulse ID: 691ef0bc44818adcda7ce0a2
Pulse Link: https://otx.alienvault.com/pulse/691ef0bc44818adcda7ce0a2
Pulse Author: CyberHunter_NL
Created: 2025-11-20 10:43:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASEC #AhnLab #CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #RAT #SEOPoisoning #bot #CyberHunter_NL

Network devices compromised for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper to hijack legitimate updates. EdgeStepper redirects DNS queries to a malicious node, rerouting traffic from legitimate infrastructure to attacker-controlled servers. The group has also exploited web server vulnerabilities and performed a supply-chain attack. PlushDaemon's adversary-in-the-middle technique involves compromising network devices, deploying EdgeStepper, and using it to redirect DNS queries for software updates to malicious nodes. This allows them to serve malicious updates containing the LittleDaemon downloader, which then deploys the SlowStepper implant.

Pulse ID: 691e322b7508a5264ba48186
Pulse Link: https://otx.alienvault.com/pulse/691e322b7508a5264ba48186
Pulse Author: AlienVault
Created: 2025-11-19 21:09:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #BackDoor #Cambodia #China #CyberSecurity #DNS #Edge #Espionage #HongKong #InfoSec #Korea #OTX #OpenThreatExchange #RAT #SouthKorea #Troll #UnitedStates #bot #AlienVault

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

TamperedChef is a global malvertising and SEO campaign that delivers seemingly legitimate installers disguised as common applications. These installers establish persistence and deliver obfuscated JavaScript payloads for remote access and control. The campaign uses social engineering, malvertising, SEO, and abused digital certificates to increase user trust and evade detection. It employs a network of U.S.-registered shell companies to acquire and rotate code-signing certificates. The campaign primarily affects healthcare, construction, and manufacturing sectors, with a concentration in the Americas. The attackers' motives may include selling remote access, stealing credentials, preparing for ransomware deployment, or engaging in opportunistic espionage.

Pulse ID: 691ece2d1916c387b6074ce5
Pulse Link: https://otx.alienvault.com/pulse/691ece2d1916c387b6074ce5
Pulse Author: AlienVault
Created: 2025-11-20 08:15:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Americas #CyberSecurity #Espionage #Healthcare #InfoSec #Java #JavaScript #Malvertising #Manufacturing #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SocialEngineering #bot #AlienVault

UNC1549 Threat Group Hijacking Trusted DLLs and Executing VDI Breakouts

UNC1549, a threat group suspected to be linked to Iran has sharply expanded its cyber-espionage operations across the aerospace, aviation, and defence sectors.

Pulse ID: 691db7e6f9b3774b1c9280e3
Pulse Link: https://otx.alienvault.com/pulse/691db7e6f9b3774b1c9280e3
Pulse Author: cryptocti
Created: 2025-11-19 12:28:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #Iran #OTX #OpenThreatExchange #RAT #Rust #UNC1549 #bot #cyberespionage #cryptocti

License to Encrypt: Make Their Move

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with various affiliate models. Their latest update introduces automatic self-restart, run-on-boot functionality, and flexible encryption speeds. The ransomware targets both local disks and network-shared drives, supporting Windows, Linux, and ESXi platforms. Key features include reliable encryption using XChaCha20 and Curve25519, configurable attack methods, and persistent access capabilities. The group has published 47 victims on their dark web leak site within two months of operation.

Pulse ID: 691d846bee2607ac565b349a
Pulse Link: https://otx.alienvault.com/pulse/691d846bee2607ac565b349a
Pulse Author: AlienVault
Created: 2025-11-19 08:48:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ChaCha20 #CyberSecurity #ELF #Encryption #Extortion #ICS #InfoSec #Linux #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #RansomwareAsAService #Windows #bot #AlienVault

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

In October 2025, a major U.S. real estate company was targeted by a highly advanced cyberattack using the emerging Tuoni C2 framework. The attack, which showed signs of AI assistance in code generation, was neutralized by Morphisec's Automated Moving Target Defense (AMTD) technology. The campaign likely began with social engineering via Microsoft Teams impersonation, followed by a malicious PowerShell script. The attack chain involved steganography to hide payloads in images and in-memory execution techniques to evade detection. The Tuoni C2 framework, a sophisticated command-and-control tool, was used as the core implant. Morphisec's prevention-first approach successfully blocked the attack before execution, highlighting the effectiveness of AMTD against unknown threats without relying on signatures or behavioral heuristics.

Pulse ID: 691d85353673c34fb2746158
Pulse Link: https://otx.alienvault.com/pulse/691d85353673c34fb2746158
Pulse Author: AlienVault
Created: 2025-11-19 08:52:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #ICS #InfoSec #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #PowerShell #RAT #SocialEngineering #Steganography #bot #AlienVault

RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation to disable Microsoft Defender. The infection chain begins with trojanized NSIS installers masquerading as legitimate software. RONINGLOADER leverages multiple stages to terminate antivirus processes, apply custom WDAC policies, and inject the final payload into trusted system processes. The campaign demonstrates an evolution in DragonBreath's tactics, showcasing adaptability and sophisticated evasion methods.

Pulse ID: 691d85c636ef7e742328d734
Pulse Link: https://otx.alienvault.com/pulse/691d85c636ef7e742328d734
Pulse Author: AlienVault
Created: 2025-11-19 08:54:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #EDR #ElasticSecurityLabs #ICS #InfoSec #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RAT #Rust #Trojan #bot #AlienVault

GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

A sophisticated Android dropper impersonating the Google Play Store was discovered, distributing an app called 'GPT Trade'. This malicious application, disguised as an AI trading assistant, actually deploys two dangerous payloads: BTMob spyware and UASecurity Miner. The dropper creates directories, unpacks components, and generates new APK files before silently installing the malware. BTMob grants extensive device access, enabling credential theft and surveillance. UASecurity Miner focuses on persistence and remote control. The attack chain involves social engineering, APK generation, third-party packer services, and multiple command and control endpoints, reflecting a growing trend in modular Android threats.

Pulse ID: 691d86562d76790b15750aa0
Pulse Link: https://otx.alienvault.com/pulse/691d86562d76790b15750aa0
Pulse Author: AlienVault
Created: 2025-11-19 08:56:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #ASEC #Android #CyberSecurity #Endpoint #Google #GooglePlay #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SocialEngineering #SpyWare #bot #AlienVault