KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

Pulse ID: 6801707ed48a87a19adaf031
Pulse Link: https://otx.alienvault.com/pulse/6801707ed48a87a19adaf031
Pulse Author: AlienVault
Created: 2025-04-17 21:19:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.

Pulse ID: 6802094e89f266c72f83bda4
Pulse Link: https://otx.alienvault.com/pulse/6802094e89f266c72f83bda4
Pulse Author: AlienVault
Created: 2025-04-18 08:11:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Downloader Malware Written in JPHP Interpreter

A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.

Pulse ID: 68012d9425b7ccf942f5f065
Pulse Link: https://otx.alienvault.com/pulse/68012d9425b7ccf942f5f065
Pulse Author: AlienVault
Created: 2025-04-17 16:34:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Malicious HWP Document Disguised as Reunification Education Support Application

A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, including registering task schedulers and executing additional malicious files. The malware ultimately accesses an external URL to download and execute additional files, allowing threat actors to execute various commands. This incident is part of a recent trend of malware distribution using HWP documents, with attacks now targeting the general public rather than specific users. Users are advised to be cautious and keep their security software updated.

Pulse ID: 68012d954e39a06027b615d2
Pulse Link: https://otx.alienvault.com/pulse/68012d954e39a06027b615d2
Pulse Author: AlienVault
Created: 2025-04-17 16:34:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution paths, including .NET and AutoIt compiled executables, to evade detection and complicate analysis. The final payload is typically an Agent Tesla variant, a well-known infostealer. This approach demonstrates how attackers are increasingly relying on complex delivery mechanisms to bypass traditional sandboxes and ensure successful payload execution. Despite the multi-layered approach, Advanced WildFire effectively detects each stage, providing better protection for customers.

Pulse ID: 680034fcd109b8fdaf831f36
Pulse Link: https://otx.alienvault.com/pulse/680034fcd109b8fdaf831f36
Pulse Author: AlienVault
Created: 2025-04-16 22:53:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Unmasking the new XorDDoS controller and infrastructure

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

Pulse ID: 6800fccf8db6537ac15e75fb
Pulse Link: https://otx.alienvault.com/pulse/6800fccf8db6537ac15e75fb
Pulse Author: AlienVault
Created: 2025-04-17 13:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

Pulse ID: 680116bdb86648d0207f5e49
Pulse Link: https://otx.alienvault.com/pulse/680116bdb86648d0207f5e49
Pulse Author: AlienVault
Created: 2025-04-17 14:57:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modules for command execution. A lightweight version dubbed MysteryMonoSnail was also observed. The infection chain involves a malicious MMC script, an intermediary backdoor, and the main MysterySnail RAT payload. The attackers use public file storage and the piping-server project for command and control. This case highlights the importance of maintaining vigilance against seemingly obsolete malware families, as they may continue operating undetected for extended periods.

Pulse ID: 6800fcd0995e011520970651
Pulse Link: https://otx.alienvault.com/pulse/6800fcd0995e011520970651
Pulse Author: AlienVault
Created: 2025-04-17 13:06:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

The curator's (@mathzy) angry rat.

Another member of my 'Allied Alewives' warband, she'll be in action as a 'Star Player' tomorrow in a Blood Bowl match - probably playing as Kreek Rustgouger...

休憩中 #ラット #ファンシーラット #rat

Today's sketch, a (minor) character from my Last Train Home series. Skrenkak the rat.

UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell

Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.

Pulse ID: 67ffc3f9b45a8daa24fcb4fe
Pulse Link: https://otx.alienvault.com/pulse/67ffc3f9b45a8daa24fcb4fe
Pulse Author: AlienVault
Created: 2025-04-16 14:51:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioritizes high-impact industries, particularly the Business Services sector, to amplify operational disruptions. The group's internal communications were leaked, exposing their infrastructure and operational details. BRUTED targets various remote-access and VPN solutions, using proxy rotation, credential generation, and distributed execution to scale attacks. Black Basta exploits vulnerabilities in edge devices for initial access, then targets ESXi hypervisors to encrypt file systems and disrupt virtual machines, maximizing operational impact and ransom leverage.

Pulse ID: 67ffc3faf1eadb11b97d2f1b
Pulse Link: https://otx.alienvault.com/pulse/67ffc3faf1eadb11b97d2f1b
Pulse Author: AlienVault
Created: 2025-04-16 14:51:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries

This analysis examines BRICKSTORM, an espionage backdoor linked to China-nexus cluster UNC5221. It details newly identified Windows variants, expanding on previous Linux presence. The backdoor, used in long-term espionage campaigns, targets European industries of strategic interest to China. BRICKSTORM provides file management and network tunneling capabilities, using multiple layers of encryption and leveraging cloud providers to evade detection. The analysis covers the backdoor's inner workings, including its command and control infrastructure, protocol details, and evasion techniques. It highlights the persistent nature of these intrusions and the challenges they pose to defensive measures. The document concludes with recommendations for detection and mitigation strategies.

Pulse ID: 67ffc3f88708691edc04184d
Pulse Link: https://otx.alienvault.com/pulse/67ffc3f88708691edc04184d
Pulse Author: AlienVault
Created: 2025-04-16 14:51:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access, persistence, defense evasion, data collection, and payload delivery. The malware gathers system information, sets up scheduled tasks, and uses PowerShell for various malicious activities. Another emerging technique involves inline JavaScript execution through Node.js. Recommendations include educating users, monitoring Node.js execution, enforcing PowerShell logging, and implementing endpoint protection.

Pulse ID: 67fec5ac1e94a608250d9aa2
Pulse Link: https://otx.alienvault.com/pulse/67fec5ac1e94a608250d9aa2
Pulse Author: AlienVault
Created: 2025-04-15 20:46:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

This analysis explores an ongoing phishing campaign targeting employee and member portals using a PHP-based phishing kit. The campaign has evolved from using client-side redirects to server-side credential validation, making detection more challenging. Multiple domains impersonating corporate login portals were identified, hosted on infrastructure linked to Chang Way Technologies Co. Limited. The phishing pages employ sophisticated tactics, including two-factor authentication bypasses and decoy content. The campaign's infrastructure and techniques suggest a persistent, possibly state-linked threat actor adapting their methods to evade detection and maintain access to enterprise environments.

Pulse ID: 67fec5afb0d4169ad00513fb
Pulse Link: https://otx.alienvault.com/pulse/67fec5afb0d4169ad00513fb
Pulse Author: AlienVault
Created: 2025-04-15 20:46:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

CrazyHunter Campaign Targets Taiwanese Critical Sectors

The CrazyHunter ransomware group has emerged as a significant threat, specifically targeting Taiwanese organizations in healthcare, education, and industrial sectors. The group employs sophisticated techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method, to bypass security measures. They have expanded their toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide. Approximately 80% of CrazyHunter's toolkit consists of open-source tools. The group's focus on Taiwan's critical sectors raises concerns about potential disruptions to essential services. Their evolving tactics and use of readily available tools highlight the need for enhanced cybersecurity measures to counter this emerging threat.

Pulse ID: 67ffb7e75e2480d13ce1aa28
Pulse Link: https://otx.alienvault.com/pulse/67ffb7e75e2480d13ce1aa28
Pulse Author: AlienVault
Created: 2025-04-16 14:00:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.

Pulse ID: 67ffb7eba715b936a2c4c2a8
Pulse Link: https://otx.alienvault.com/pulse/67ffb7eba715b936a2c4c2a8
Pulse Author: AlienVault
Created: 2025-04-16 14:00:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for surveillance, data exfiltration, and remote control of infected devices. The investigation uncovered multiple domains, IP addresses, and APK files associated with this campaign. The malware utilizes various C2 endpoints for communication and data exfiltration, with functions designed to retrieve and manipulate device information, contacts, SMS, and applications.

Pulse ID: 67feb504b76dd387be73309b
Pulse Link: https://otx.alienvault.com/pulse/67feb504b76dd387be73309b
Pulse Author: AlienVault
Created: 2025-04-15 19:35:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.