Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Socket

Intel Name:: npm_Spearphishing_Document_Lures_AiTM

Date of Scan:: 2025-12-28

Impact:: HIGH

Summary:: Researchers from the Socket Threat Research Team uncovered a sustained spearphishing campaign that abuses the npm registry as durable hosting for browser-based phishing lures . Instead of compromising developers through malicious dependencies, the actor repurposes npm packages as web-delivered phishing components that execute directly in the victim’s browser. The operation ran for at least five months and involved 27 malicious packages published under multiple aliases. These packages impersonate secure document-sharing portals and Microsoft sign-in pages, with the victim’s email address prefilled to increase credibility. The campaign is highly targeted, focusing on sales and commercial staff at manufacturing, industrial automation, plastics, and healthcare organizations. Once the lure is opened, client-side JavaScript replaces page content and guides the victim through a staged verification flow. Lightweight anti-analysis controls, including bot detection, honeypot form fields, and interaction gating, are used to evade scanners. Credential submission redirects victims to threat actor-controlled infrastructure associated with adversary-in-the-middle techniques. In some cases, the infrastructure overlaps with Evilginx-style patterns capable of stealing session cookies and bypassing MFA. The impact is credential compromise with potential downstream account takeover rather than endpoint malware infection

Source: https://socket.dev/blog/spearphishing-campaign-abuses-npm-registry?utm_medium=feed

Intel Source:: Asec

Intel Name:: A_Deployment_of_CoinMiner_Payloads

Date of Scan:: 2025-12-28

Impact:: MEDIUM

Summary:: Researchers at ASEC have uncovered multiple campaigns that exploit a GeoServer remote code execution vulnerability (CVE-2024-36401) to install cryptocurrency miners on exposed servers. The attackers scan the internet for vulnerable GeoServer deployments rather than targeting specific organizations. Once access is gained, the attackers deploy XMRig-based CoinMiner payloads to hijack system resources for cryptomining. In some cases, they use multi-stage PowerShell and Bash scripts, including droppers delivered via certutil and downloaders that can run payloads directly in memory. The attackers also try to weaken host defenses by adding Windows Defender exclusions and disabling security settings to keep their access longer.

Source: https://asec.ahnlab.com/en/91724/

Intel Source:: Seqrite

Intel Name:: Tax_Themed_Phish_NSIS_RAT_Fake_ITD

Date of Scan:: 2025-12-27

Impact:: HIGH

Summary:: Researchers from Seqrite have uncovered a tax-themed phishing campaign targeting Indian businesses that impersonates the Indian Income Tax Department to deliver a remote access malware payload. The attack begins with spearphishing emails using urgent compliance lures that direct victims to a fraudulent tax portal hosting a malicious ZIP archive. When executed, the archive launches a multi-stage NSIS installer chain that drops and executes a hidden RAT component while attempting to weaken local security controls. The malware establishes persistence by registering a Windows service disguised as a legitimate system protection service. It then performs system reconnaissance, collects host and software information, and registers the infected device with attacker-controlled infrastructure. The implant communicates with its command-and-control servers over multiple ports, enabling remote command execution and follow-on activity. The campaign emphasizes persistence and operational control, posing significant risk to affected organizations through sustained endpoint compromise

Source: https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/

Intel Source:: Securelist

Intel Name:: Webrat_GitHub_Exploit_Lure_Backdoor

Date of Scan:: 2025-12-27

Impact:: MEDIUM

Summary:: Researchers from Securelist have uncovered a Webrat campaign that shifts distribution from game cheats and cracked software to fake exploits hosted on GitHub repositories . Instead of targeting casual users, the attackers now focus on students and inexperienced security professionals by disguising malware as proof-of-concept exploits for high-profile vulnerabilities. The repositories are carefully crafted with AI-generated vulnerability descriptions and realistic mitigation guidance to appear legitimate. Victims are lured into downloading password-protected archives that contain a decoy file alongside a malicious loader. Once executed, the loader escalates privileges, disables Windows Defender, and retrieves the Webrat backdoor from a remote server. The end goal is persistent system access and data theft, including credentials, messaging accounts, and surveillance via keylogging and media capture

Source: https://securelist.com/webrat-distributed-via-github/118555/

Intel Source:: Socket

Intel Name:: Phantom_Shuttle_Malicious_Chrome_VPN

Date of Scan:: 2025-12-26

Impact:: HIGH

Summary:: Researchers from Socket have uncovered a long-running malicious Chrome extension campaign tracked as Phantom Shuttle that masquerades as a legitimate VPN and network testing tool. The activity targets developers and foreign trade workers through professionally branded Chrome Web Store listings and a paid subscription model that builds trust and reduces suspicion. The extensions abuse Chrome proxy and authentication APIs to silently inject hardcoded credentials, placing victims in an adversary-in-the-middle position and routing traffic through attacker-controlled infrastructure. The report details how the extensions continuously exfiltrate user emails and passwords via periodic heartbeat communications while selectively proxying high-value domains such as cloud services and developer platforms. This operation has remained active since at least 2017, posing significant credential theft and downstream enterprise and supply-chain risk.

Source: https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle?utm_medium=feed

Intel Source:: AhnLab SEcurity intelligence Center

Intel Name:: EtherRAT_React2Shell_Exploit_Distribution

Date of Scan:: 2025-12-26

Impact:: HIGH

Summary:: ASEC reports an active campaign exploiting the React2Shell vulnerability (CVE-2025-55182) to deploy EtherRAT via automated scanning of exposed React/Next.js servers. The multi-stage Node.js infection chain installs a RAT capable of command execution, credential and cryptocurrency theft, SSH key persistence, and propagation. EtherRAT uniquely resolves its C2 through Ethereum smart contract queries, indicating higher operational sophistication. The activity is opportunistic and high impact, enabling persistent access and financial theft

Source: https://asec.ahnlab.com/en/91658/

Intel Source:: Huntress

Intel Name:: Repeated_IIS_Intrusions_Lead_to_Malware_Access

Date of Scan:: 2025-12-25

Impact:: LOW

Summary:: Researchers from Huntress have uncovered three intrusions in which a threat actor repeatedly failed and retried actions until malware execution and persistence partially succeeded. In each case, the activity originated from Microsoft IIS web servers, with commands executed under the IIS worker process. The actor relied on basic but effective techniques, including system enumeration, downloading and launching files using built-in Windows utilities, and repeatedly attempting to run the same payloads after initial failures. In later stages, they attempted to weaken defenses by adding Microsoft Defender exclusions and attempted to establish persistence by creating a Windows service, although some efforts failed due to misconfiguration. The affected victims included a development firm, a manufacturing organization, and an enterprise shared services provider, indicating broad and opportunistic targeting rather than a focus on a specific industry.

Source: https://www.huntress.com/blog/trial-error-typos-malware-attacks-sophisticated

Intel Source:: Hunt.IO

Intel Name:: Shared_Lazarus_Kimsuky_Attack_Infrastructure

Date of Scan:: 2025-12-25

Impact:: HIGH

Summary:: Researchers from Hunt.io and Acronis Threat Research identified a campaign linked to the North Korea–aligned groups Lazarus and Kimsuky by analysing how their infrastructure is reused across operations, rather than focusing on a single malware. The report shows that the same servers, certificates, ports, and hosting choices appear again and again, revealing consistent operator behavior. The researchers also uncovered open directories exposing credential-stealing tools, repeated use of tunneling and proxy services, and infrastructure that supports remote access and command-and-control activity. The analysis links the Lazarus group to a Linux backdoor called Badcall and its supporting hosting environment, while another highlight open directories filled with mixed toolsets for credential theft, data exfiltration, and remote administration. Overall, the activity suggests the actors can quickly scale and redeploy proxy nodes across multiple VPS providers with minimal effort.

Source: https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered

Intel Source:: Push Security

Intel Name:: ConsentFix_A_New_Phishing_Attack_Technique

Date of Scan:: 2025-12-24

Impact:: MEDIUM

Summary:: Researchers at Push Security have identified ConsentFix, a browser-native phishing technique that abuses OAuth consent flows combined with ClickFix-style user interaction to compromise Microsoft cloud accounts without requiring passwords or MFA prompts. Victims are lured via search results to compromised or malicious websites that masquerade as routine security checks and guide users to complete a legitimate Microsoft sign-in in a separate tab. By tricking users into copying authorization data from the browser address bar back into the lure page, attackers can redeem OAuth tokens using Azure command-line tooling. This enables control over the victim’s Microsoft identity and associated resources while relying solely on standard cloud application workflows. The attack operates entirely within the browser, evades many endpoint and email-based defenses, and uses selective targeting and anti-analysis measures to reduce detection.

Source: https://pushsecurity.com/blog/consentfix#id-recommendations_id-iocs

Intel Source:: CheckPoint

Intel Name:: Ink_Dragon_Espionage_Campaign

Date of Scan:: 2025-12-24

Impact:: HIGH

Summary:: Check Point researchers have identified an espionage campaign conducted by the PRC-aligned threat actor Ink Dragon, also tracked as CL-STA-0049, Earth Alux, and REF7707. The group primarily targets government, telecommunications, and other public-sector organizations across Southeast Asia, South America, Africa, and Europe. Initial access is typically achieved by exploiting ASP.NET ViewState deserialization vulnerabilities on exposed IIS and SharePoint servers, as well as the SharePoint ToolShell vulnerability, enabling remote code execution without user interaction. After gaining access, the actors rapidly escalate privileges, harvest credentials and authentication tokens, and pivot laterally by abusing administrative RDP sessions. They deploy ShadowPad and FinalDraft malware to establish C2, move laterally across Windows environments, and exfiltrate sensitive data. Throughout the campaign, Ink Dragon consistently abuses legitimate digital signatures and disguises malicious binaries as native Windows components to evade detection and blend into normal system activity.

Source: https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page