Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: ESET Research

Intel Name:: FishMedley_Cyberattack_Identified

Date of Scan:: 2025-03-25

Impact:: MEDIUM

Summary:: Researchers from ESET have observed Operation FishMedley, a global espionage operation carried out by the FishMonger APT group and related to the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks in Asia, Europe, and the United States, using implants including ShadowPad, SodaMaster, and Spyder tools usually linked with China-aligned threat actors.

Source: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/

Intel Source:: Arctic Wolf

Intel Name:: INDOHAXSEC_Rising_Indonesian_Hackers

Date of Scan:: 2025-03-25

Impact:: LOW

Summary:: Arctic Wolf researchers have identified that the Indonesian-based hacktivist collective INDOHAXSEC has been active in Southeast Asia, conducting cyberattacks such as DDoS and ransomware attacks against various entities, including government bodies. Motivated primarily by political goals, with occasional financial motives, the group uses both custom and publicly available hacking tools. They maintain a strong online presence on platforms like GitHub, Telegram, and social media, seemingly prioritizing notoriety over operational security.

Source: https://arcticwolf.com/resources/blog/indohaxsec-emerging-indonesian-hacking-collective/

Intel Source:: Sygnia

Intel Name:: Weaver_Ant_China_Nexus_Web_Shell_Attacks

Date of Scan:: 2025-03-25

Impact:: LOW

Summary:: Researchers at Sygnia have uncovered a Chinese-nexus threat actor known as Weaver Ant infiltrating a major Asian telecommunications company. The attackers used web shells, including an encrypted version of China Chopper and a previously unknown 'INMemory' web shell, to sustain persistence and aid cyber espionage.

Source: https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/

Intel Source:: Elastic Security Labs

Intel Name:: ABYSSWORKER_Driver_in_Medusa_Attacks

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have discovered the usage of ABYSSWORKER, a malicious driver distributed alongside the MEDUSA ransomware, to deactivate endpoint detection and response (EDR) systems. Cybercriminals use either vulnerable genuine drivers or custom-built drivers to avoid detection. The HEARTCRYPT-packed loader installed the ABYSSWORKER driver, which was signed with a revoked certificate from a Chinese vendor and used to silence numerous EDR suppliers.

Source: https://www.elastic.co/security-labs/abyssworker

Intel Source:: Socket

Intel Name:: Lazarus_Group_Hits_NPM_with_Malicious_Packages

Date of Scan:: 2025-03-24

Impact:: MEDIUM

Summary:: Researchers from Socket have uncovered six new malicious npm packages linked to North Korea’s Lazarus Group. These packages are designed to steal credentials, extract cryptocurrency data, and deploy backdoors, and are downloaded over 330 times. The packages used typosquatting tactics, mimicking trusted libraries, and were hosted on GitHub to appear legitimate, increasing the risk of integration into developer workflows.

Source: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages

Intel Source:: ISC.SANS

Intel Name:: Mirai_Botnet_Targets_DrayTek_Routers

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at ISC.SANS have discovered that the Mirai botnet now includes exploits targeting DrayTek Vigor routers. These attacks are based on vulnerabilities published by Forescout in October, which initially affected around 700,000 devices. Attackers are primarily targeting the "mainfunction.cgi" and "keyPath" vulnerabilities, with continued efforts to exploit "cvmcfgupload." Some attack attempts appear to be faulty, perhaps due to errors in exploit scripts.

Source: https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770/

Intel Source:: ASEC

Intel Name:: Malicious_HWP_Disguised_as_Education_Application

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: ASEC researchers have discovered a post recruiting students for a course that contained a link to download a malicious HWP document. The HWP file, disguised as an application form, contained both a legitimate document and a malicious BAT file. When opened, the BAT file creates and executes additional files, including services like 0304.exe, which download further malware. The malware connects to an external URL to retrieve and execute additional commands, making it difficult for users to detect.

Source: https://asec.ahnlab.com/en/86841/

Intel Source:: G DATA

Intel Name:: Python_Based_AnubisBackdoor_Found

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at G Data have found a new Python-based backdoor known as "AnubisBackdoor," which was used by the financially motivated threat group FIN7 during recent attacks. To avoid detection, the malware, which is delivered by phishing emails containing ZIP archives, uses various layers of obfuscation and encryption. Initially, the malware employs AES-encrypted Python scripts to execute payloads invisibly, reducing forensic traces.

Source: https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor

Intel Source:: Sentinelone

Intel Name:: Dragon_RaaS_Emerging_Ransomware_Threat

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers from SentinelOne have discovered that Dragon RaaS, a pro-Russian ransomware gang, formed as an offshoot of the Stormous group, which is tied to the bigger cybercrime syndicate known as "The Five Families." While Dragon RaaS presents itself as a sophisticated Ransomware-as-a-Service (RaaS) organization, its operations are primarily opportunistic, involving website defacements and smaller-scale ransomware events. The gang primarily targets organizations in the United States, the United Kingdom, Israel, France, and Germany using misconfigurations, brute-force attacks, and stolen credentials.

Source: https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/

Intel Source:: Palo Alto

Intel Name:: Unique_Malware_Samples_Identified

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers from Palo Alto Networks have discovered three unique malware strains with unusual characteristics. The first is a passive IIS backdoor developed in C++/CLI, a language rarely utilized in malware. The second is a bootkit that uses an unprotected kernel driver to install the GRUB 2 bootloader in an unexpected way. The third is a Windows implementation of a cross-platform post-exploitation framework in C++ that differs significantly from the frameworks seen last year. These findings underscore threat actors' shifting approaches, which include both custom-built and unusual malware tools.

Source: https://unit42.paloaltonetworks.com/unusual-malware/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page