Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Proofpoint

Intel Name:: TA2726_and_TA2727_Identified

Date of Scan:: 2025-02-21

Impact:: MEDIUM

Summary:: Researchers from Proofpoint have discovered two new cybercriminal threat actors, TA2726 and TA2727, who run web inject campaigns and distribute malware. These actors use hijacked websites to send bogus update-themed lures, adding to the already complicated field of web inject attacks. Notably, TA2727 was spotted transmitting FrigidStealer, a newly found MacOS information stealer, as well as malware for Windows and Android.

Source: https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware

Intel Source:: CISA

Intel Name:: Ghost_Cring_Ransomware

Date of Scan:: 2025-02-21

Impact:: HIGH

Summary:: The FBI, CISA, and MS-ISAC have issued a joint advisory on Ghost (Cring) ransomware, detailing the methods and impact of attacks by this group of threat actors, primarily located in China. Ghost actors target organizations globally, exploiting vulnerabilities in outdated software and firmware to infiltrate networks, with a focus on critical infrastructure, healthcare, education, and small businesses. These attackers use common tools like Cobalt Strike and Mimikatz for privilege escalation and credential theft, and employ tactics to evade detection and hinder system recovery. Ghost actors typically encrypt data using various ransomware executables and demand ransom in cryptocurrency for decryption keys. While exfiltration is rare, the encrypted data remains inaccessible without payment.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Intel Source:: malwr-analysis

Intel Name:: Arechclient2_Malware

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Arechclient2 is also known as SectopRAT malware which is written in .NET that allows attackers remote access to an infected system. It uses hidden technique called Calli obfuscation which makes it hard to detect. This malware has various capabilities that includes scanning of web browsers to collect information about installed extensions, saved usernames, passwords, and cookies. It searches for VPN services like NordVPN and ProtonVPN, gathers system details such as hardware and operating system details, Telegram and Discord settings. Additionally, it searches for FTP credentials and cryptocurrency wallets to steal financial data.

Source: https://malwr-analysis.com/2025/02/18/arechclient2-malware-analysis-sectoprat/

Intel Source:: Cofense

Intel Name:: Phishing_Campaign_Targets_Amazon_Users

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Researchers from Cofense have uncovered a phishing campaign targeting Amazon Prime users. The campaign starts with an email that appears to be a legitimate notification from Amazon prime which claim that the recipient’s payment method has expired or is no longer valid. This email creates urgency for the recipient who might be pushed to click on a button to check their payment information. When user clicks on the link, it redirects to google docs page. This tactic targets login credentials and additional details such as verification and payment details for illicit purposes.

Source: https://cofense.com/blog/amazon-phish-hunts-for-security-answers-and-payment-information

Intel Source:: Any.Run

Intel Name:: Phishing_Campaign_Drops_Zhong_Stealer

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Researchers at ANY.RUN have observed a phishing campaign distributing a newly discovered stealer malware, Zhong Stealer, that targets the cryptocurrency and finance sectors. The Quetzal Team monitored this campaign from December 20 to 24, 2024, during which phishing tactics were used to deceive customer care team members into opening malicious ZIP files.

Source: https://any.run/cybersecurity-blog/zhong-stealer-malware-analysis/

Intel Source:: Fortinet

Intel Name:: New_Variant_of_Snake_Keylogger

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: FortiGuard researchers have discovered a new variant of Snake Keylogger also known as the 404 Keylogger targeting Window users. This malware mainly focuses on China, Turkey, Indonesia, Taiwan, and Spain. It has been identified as AutoIt/Injector.GTY!tr and has been responsible for over 280 million blocked infection attempts worldwide. This variant of Snake Keylogger primarily spread through phishing emails that contain either attachment or link. It targets web browsers like Chrome, Edge and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials and monitoring the clipboard. The stolen data is then exfiltrated to its C2 server via email and Telegram bots.

Source: https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant

Intel Source:: ASEC

Intel Name:: Rhadamanthys_Distributed_via_MSC_Extension

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: Researchers at AhnLab have identified that the Rhadamanthys infostealer is being distributed using files with the .MSC extension which are associated with Microsoft Management Console (MMC) files. These files allow the execution of various scripts ,commands or programs. The attackers are using two methods to execute these malicious MSC files. The first method is to exploit a vulnerability (CVE-2024-43572) which is no longer effective because it has been patched by Microsoft and other method is Console Taskpad to run malicious commands.

Source: https://asec.ahnlab.com/ko/86354/

Intel Source:: K7 Labs

Intel Name:: Malicious_PoC_Exploit_Abuse_on_GitHub

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: Researchers at K7 Labs have observed that a spelling error in their proof-of-concept exploit release for CVE-2024-49112 resulted in threat actors creating a malicious GitHub repository. The attackers attempted to fool researchers and security professionals by falsely claiming that their file was the legitimate proof of concept for CVE-2024-49113. This case shows how tiny faults can be used for malicious purposes.

Source: https://labs.k7computing.com/index.php/ldapnightmare-spoof-stealer/

Intel Source:: Trac Labs

Intel Name:: GhostWeaver_Backdoor

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: TRAC Labs researchers have uncovered a malware campaign that tricks users with fake browser update notification on compromised website. When user clicks on it, a JavaScript file runs in the background and downloads a malware loader called MintsLoader. This loader then installs an advanced PowerShell based backdoor named GhostWeaver. This malware allows attackers to maintain control over compromised system remotely by connected to its C2 server. It is designed to steal sensitive information such as saved passwords from web browsers like Chrome, Firefox and Edge, Outlook emails and cryptocurrency wallets.

Source: https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983

Intel Source:: Netskope

Intel Name:: Go_Based_Backdoor_Using_Telegram_C2

Date of Scan:: 2025-02-18

Impact:: LOW

Summary:: Netskope researchers have discovered a new Go-based backdoor malware, potentially of Russian origin. The malware uses Telegram as its command and control (C2) channel, which is uncommon but highly effective. This makes detection difficult for defenders. The malware appears to still be under development but is already fully functional. Using cloud apps like Telegram for C2 communication allows attackers to bypass infrastructure requirements and blend in with normal user activity, complicating detection efforts.

Source: https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page