CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Introduction:
CYFIRMA Research and Advisory Team has found Lalia Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Lalia Ransomware
Researchers have identified Lalia ransomware as a file-encrypting threat that targets data on compromised systems. Following execution, Lalia encrypts files and alters their filenames by appending the “.lalia” extension, for example, changing “1.jpg” to “1.jpg.lalia”. The ransomware also creates a ransom note named “RECOVERY_INFO.txt” on affected devices. According to the note, the attack involves file encryption alongside claims of sensitive data exfiltration, reflecting a dual-impact intrusion affecting both data accessibility and confidentiality.
Screenshot: File encrypted by the ransomware
The “RECOVERY_INFO.txt” file functions as the ransomware’s extortion and communication notice. It instructs victims not to use recovery utilities, rename encrypted files, or seek external assistance, while claiming that these actions could disrupt recovery efforts or expose information. The note offers sample decryption to demonstrate access to encrypted data, provides contact instructions, and imposes a limited response period. It further applies pressure by warning that the allegedly exfiltrated data may be published or sold if communication and payment-related instructions are not followed.
Screenshot: The appearance of Lalia’s Ransom Note (Source: Surface Web)
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1106 | Native API |
| Execution | T1129 | Shared Modules |
| Execution | T1574 | Hijack Execution Flow |
|
Privilege Escalation |
T1055 | Process Injection |
|
Privilege Escalation |
T1134 | Access Token Manipulation |
|
Privilege Escalation |
T1548 | Abuse Elevation Control Mechanism |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1518 | Software Discovery |
| Collection | T1560 | Archive Collected Data |
|
Command and Control |
T1071 | Application Layer Protocol |
|
Command and Control |
T1568 | Dynamic Resolution |
|
Command and Control |
T1573 | Encrypted Channel |
| Impact | T1485 | Data Destruction |
| Impact | T1490 | Inhibit System Recovery |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1036 | Masquerading |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1134 | Access Token Manipulation |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1574 | Hijack Execution Flow |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analysis indicates that Lalia represents an extortion-oriented ransomware operation that integrates technical disruption with structured victim engagement. The ransomware demonstrates an operational design centered on controlling post-compromise interaction through dedicated communication channels, restrictive instructions, and deadline-driven engagement. Rather than functioning solely as a mechanism for denying access to data, Lalia reflects a broader ransomware methodology where attackers attempt to manage victim behavior and maintain leverage throughout the incident lifecycle.
Ransomware threats such as Lalia may continue evolving toward more organized and professionally structured extortion ecosystems. Future variants or associated operations could adopt increasingly standardized negotiation processes, more resilient communication infrastructure, and refined coercion techniques aimed at sustaining pressure over longer engagement periods. The growing emphasis on operational coordination suggests that ransomware campaigns may place greater focus on streamlining victim interaction, reinforcing compliance through structured messaging, and improving the overall efficiency of extortion workflows.
The evolution of ransomware activity may also involve deeper integration of multi-layered extortion methods, where operational disruption is reinforced through reputational, financial, and data exposure-related pressure mechanisms. Threat actors may continue refining their ability to manage negotiations, control information flow, and tailor extortion strategies to maximize leverage against targeted entities. Such developments reflect the broader maturation of the ransomware ecosystem, where campaigns increasingly resemble coordinated extortion operations supported by established procedures, communication frameworks, and adaptable pressure tactics rather than isolated encryption-focused incidents alone.
Sigma rule:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Remote Access Trojan (RAT)| Objectives: Remote Access/ Data Exfiltration |
Target Technology: Windows OS|Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “LxBase RAT” Stealer is in focus.
Overview of Operation LxBase RAT Malware
The analysis of the LxBase RAT malware sample reveals a sophisticated and highly evasive threat framework engineered to execute malicious payloads while minimizing visibility to users and security solutions. Rather than deploying its malicious capabilities directly, the malware employs a multi-stage execution mechanism that utilizes batch scripts and PowerShell-based components to extract, decode, and execute additional payloads in memory. This layered execution methodology effectively obscures the malware’s underlying functionality and significantly increases the complexity of forensic analysis and incident response efforts.
A key characteristic of the infection chain is its extensive abuse of legitimate Windows administrative utilities, including Command Prompt (CMD), PowerShell, and Windows Management Instrumentation (WMI). By leveraging trusted native system tools, the malware can blend malicious activity with normal operating system behavior, thereby reducing the likelihood of detection by conventional security controls. The observed execution sequence demonstrates deliberate attempts to bypass PowerShell security policies, execute commands in a non-interactive manner, and conceal operational artifacts from end users and security monitoring mechanisms.
The malware further incorporates multiple defense-evasion techniques designed to enhance operational stealth and persistence. Analysis identified the use of obfuscated scripts, encoded payloads, hidden execution contexts, and anti-analysis mechanisms commonly associated with sandbox and virtual machine detection. These capabilities indicate a strong emphasis on avoiding automated detection and delaying security investigations. Additionally, the creation of temporary files and staged execution components suggests a modular architecture that enables the deployment of additional malicious functionality following successful execution of the initial payload.
Overall, the behavioral patterns observed during analysis are indicative of an advanced malware delivery framework capable of facilitating a broad range of post-compromise activities, including unauthorized remote access, credential theft, data collection, and the deployment of secondary payloads. Although the ultimate objective of the sample could not be conclusively determined during analysis, its execution methodology, evasion capabilities, and modular design collectively demonstrate a significant threat to affected environments. Consequently, organizations should regard the detection of similar behaviors as a strong indicator of malicious activity and initiate timely investigation and remediation procedures to mitigate potential compromise.
Attack Method
The LxBase RAT infection chain is built around a staged execution model that prioritizes stealth, flexibility, and successful payload delivery. Instead of immediately deploying its final malicious components, the malware initiates a sequence of intermediary scripts and processes designed to prepare the victim system for further compromise. This approach reduces the likelihood of early detection while enabling the threat to adapt its behavior during execution. By separating functionality across multiple stages, the malware obscures its true objective and complicates efforts to trace the complete attack sequence.
A central element of the attack methodology is the abuse of trusted Windows administration and automation features. The malware leverages native operating system components to retrieve, decode, and execute embedded content, allowing malicious activity to blend with legitimate system operations. This “living-off-the-land” strategy minimizes dependence on external tools and helps the malware evade security products that primarily focus on identifying unknown executables. The execution flow demonstrates a deliberate effort to operate within the boundaries of normal system behavior while covertly advancing the infection process.
The attack further incorporates several techniques intended to hinder analysis and detection. Payloads are concealed within encoded or obfuscated content and are extracted only when required during execution. Commands are frequently launched in hidden or non-interactive contexts, reducing visible indicators of compromise for end users. Additionally, malware exhibits characteristics commonly associated with anti-analysis behavior, including environmental awareness checks that may alter execution when virtualized or monitored environments are detected.
Once execution is established, the framework creates temporary artifacts and staged components that facilitate the delivery of additional functionality. This modular design enables operators to expand capabilities after the initial compromise, whether for remote access, information collection, credential harvesting, or deployment of secondary malware. The overall attack methodology reflects a modern threat architecture focused on stealth, operational flexibility, and long-term access within compromised environments.
The following are the TTPs based on the MITRE Attack Framework for Enterprises
| Tactic | Technique ID | Technique Name |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1047 | Windows Management Instrumentation |
| Persistence | T1112 | Modify Registry |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1497 | Virtualization/Sandbox Evasion |
| Stealth | T1564 | Hide Artifacts |
| Stealth | T1202 | Indirect Command Execution |
| Collection | T1074 | Data Staged |
| Command and control | T1573 | Encrypted Channel |
INSIGHTS
ETLM ASSESSMENT
From a future risk perspective, malware frameworks that employ staged execution, trusted system utilities, and highly adaptable delivery mechanisms are likely to increase the operational challenges faced by organizations. Such threats may enable attackers to maintain a presence within corporate environments for longer periods before detection, potentially increasing the impact of security incidents and the resources required for investigation and recovery.
For employees, the growing sophistication of these malware campaigns could make routine activities such as opening files, executing scripts, or interacting with seemingly legitimate content a more significant security concern, as malicious actions become increasingly difficult to distinguish from normal business operations. As organizations continue to expand remote work, cloud adoption, and digital collaboration platforms, malware with similar characteristics may become more effective at exploiting trusted workflows, resulting in greater business disruption, data exposure risks, and operational downtime across both enterprise and individual user environments.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule LxBaseRAT_Behavioral_Detection
{
meta:
description = “Detects LxBaseRAT malware loader and related variants” author = “CYFIRMA”
date = “2026-06-01”
strings:
$hash1 = “5a26fd462a809c89b0448318591cb98a77a7b96fca658815dc0f547a51958bed”
$s1 = “ExecutionPolicy Bypass”
$s2 = “WindowStyle Hidden”
$s3 = “NonInteractive”
$s4 = “Get-Content”
$s5 = “Set-Content”
$s6 = “—BEGIN_PS—”
$s7 = “—BEGIN_ENC—”
$s8 = “.b64”
$s9 = “.ps1”
$s10 = “volatile_module_”
$s11 = “findstr /n /C:”
$s12 = “cmd.exe /c”
$s13 = “powershell.exe -NoProfile”
$s14 = “powershell.exe -ExecutionPolicy Bypass”
$s15 = “System.Diagnostics.ProcessStartInfo”
$s16 = “ProcessWindowStyle”
$s17 = “BSelf”
$s18 = “wmiprvse.exe”
$s19 = “WmiApRpl_new.h”
$s20 = “PowerShell_transcript”
condition:
uint16(0) == 0x5A4D and (
$hash1 or 6 of ($s*) or (
$s1 and $s2 and $s3 and ($s4 or $s5) and
($s6 or $s7)
)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
Transparent Tribe (APT36): State-Aligned Cyber Operations and Emerging Risks
About the Threat Actor
Transparent Tribe (also tracked as APT36) is a suspected Pakistan-aligned cyber espionage threat actor known for targeting military personnel, diplomatic missions, government agencies, and other strategic entities. Active since at least 2013, the group conducts intelligence-gathering operations aimed at collecting sensitive information that supports Pakistan’s military and geopolitical interests, with a particular focus on targets in India and Afghanistan.
Operationally, the threat actor relies heavily on targeted spear-phishing campaigns and watering hole attacks to gain initial access to victim environments. Its phishing operations commonly leverage malicious document attachments, macro-enabled files, and weaponized RTF documents designed to exploit vulnerabilities and facilitate malware delivery. Through these techniques, Transparent Tribe seeks to establish persistent access and maintain long-term visibility into targeted networks for espionage purposes.
Details on Exploited Vulnerabilities
| CVE ID | Affected Products | CVSS Score | Exploit Links |
| CVE-2026-21509 | Microsoft Office | 7.8 | – |
| CVE-2025-10035 | Fortra’s GoAnywhere MFT | 9.8 | – |
| CVE-2017-8759 | Microsoft .NET Framework | 7.8 | link |
| CVE-2023-39234 | TKWave 3.3.115 | 7.8 | – |
| CVE-2021-40539 | Zoho ManageEngine | 9.8 | link |
Details on Exploited Vulnerabilities
| Tactic | ID | Technique |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Resource Development | T1584.001 | Compromise Infrastructure: Domains |
| Resource Development | T1608.001 | Stage Capabilities: Upload Malware |
| Resource Development | T1587.003 | Develop Capabilities: Digital Certificates |
| Resource Development | T1608.004 | Stage Capabilities: Drive-by Target |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1566.002 | Phishing: Spear-phishing Link |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1204.002 | User Execution: Malicious File |
| Stealth | T1036.005 | Masquerading: Match Legitimate Name or Location |
| Stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| Stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Command and Control | T1568 | Dynamic Resolution |
Latest Developments Observed
The threat actor is suspected of deploying a customized XenoRAT malware variant through a highly targeted spear-phishing campaign to gain initial access. The campaign primarily targets government entities in Afghanistan. Based on the observed activity, the threat actor’s objective appears to be the exfiltration of sensitive information and the establishment of long-term access to facilitate intelligence-gathering operations.
ETLM Insights
APT36 (Transparent Tribe), a state-sponsored threat actor assessed to operate in alignment with Pakistan’s strategic intelligence objectives, continues to prioritize diplomatic, defense, government, and research organizations as primary intelligence collection targets. The group has maintained a sustained focus on entities associated with national security, regional geopolitics, and policy development.
Operationally, the threat actor relies heavily on targeted social-engineering campaigns, credential-focused intrusion activity, and custom malware deployment to establish and maintain long-term access within victim environments. Its targeting patterns reflect a structured cyber espionage model designed to support intelligence gathering objectives while preserving operational persistence and access to sensitive information.
The actor’s activities demonstrate:
Looking ahead, the threat actor is expected to continue refining its espionage tradecraft, enhancing delivery mechanisms, and expanding operational resilience to sustain intelligence collection efforts against strategically significant organizations. This evolving operational model positions APT36 as a persistent regional cyber espionage threat, creating continued exposure for organizations involved in national security, defense, foreign affairs, research, and critical decision-making functions.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
YARA Rules
rule APT36_TransparentTribe_AuthRootSTL_Lure
{
meta:
description = “Detects artifacts associated with Transparent Tribe/APT36 campaign”
author = “CYFIRMA” date = “2026-06-02”
threat_actor = “Transparent Tribe (APT36)”
hash1 = “a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40”
hash2 = “28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa”
strings:
$cab1 = “authrootstl.cab” nocase ascii wide
$dom1 = “departmentofdefence.live” ascii wide
$dom2 = “accounts.mgovcloud.in.departmentofdefence.live” ascii wide
$dom3 = “modgovindia.space” ascii wide
$dom4 = “securestore.cv” ascii wide
$dom5 = “sorlastore.com” ascii wide
$ip1 = “198.37.123.126” ascii
$ip2 = “172.67.148.140” ascii
$ip3 = “159.203.45.201” ascii
$ip4 = “159.89.28.249” ascii
$ip5 = “101.99.92.182” ascii
$ip6 = “198.252.111.31” ascii condition:
$cab1 or
2 of ($dom*) or 2 of ($ip*)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Iranian Hackers Behind a Cyberattack on US Transportation Infrastructure
A newly released analysis by Israeli researchers has uncovered the state-sponsored mechanisms behind a March cyberattack that disrupted parts of the Los Angeles County Metropolitan Transportation Authority (LACMTA). Although a seemingly independent pro-Iranian hacktivist group calling itself “Ababil of Minab” initially claimed responsibility for the incident, researchers successfully traced the threat actor’s digital footprint directly back to Iran’s Ministry of Intelligence and Security (MOIS).
The attribution is heavily supported by the group’s choice of command-and-control (C2) infrastructure, which the researchers discovered was previously utilized in operations by Black Shadow – an aggressive threat actor officially tied to the MOIS by Israel’s National Cyber Directorate. Beyond the incident in Los Angeles, the researchers have also linked Ababil of Minab to a broader campaign of destructive data-wiping attacks targeting other Western and regional assets. These include the South Florida Regional Transportation Authority, Maryland-based connected-vehicle software developer Agnik, and a Saudi Arabian construction enterprise heavily focused on critical infrastructure projects.
ETLM Assessment:
The conflict of 2026 underscores a grim reality: the boundary between “war” and “peace” has become an obsolete binary in the digital age. The battlefield is now everywhere, from the nuclear facilities of the Iranian desert to LA public transportation. Furthermore, the rise in phishing and malware activity in the USA and Gulf countries has been staggering, with malicious email campaigns increasing by 130% since the conflict began. While much of this is state-sponsored, a significant portion is financially motivated, as criminal threat actors exploit the fear and uncertainty of the war. Handala or Ababil of Minab hackers, while presenting themselves as an independent hacktivist collective, is widely assessed to be an arm of the Iranian MOIS. This blurring of lines between state actors, hacktivists, and criminals is a hallmark of modern conflict.
Russia Suspected in Lithuania’s Massive Centre of Registers Data Breach
Lithuanian authorities have launched a formal investigation into a major cyberattack that resulted in the theft of over 600,000 records from the country’s Centre of Registers. According to a report, the breach was orchestrated by a foreign threat actor who managed to compromise the system using stolen login credentials. The incident has primarily exposed sensitive databases containing personal, corporate, and property-related information. While official attribution from government investigators is still pending, the geopolitical undertones of the incident are already driving domestic political discourse, with several Lithuanian politicians pointing to Russia as the most likely culprit behind the operation.
ETLM Assessment:
Russian cyber operations in the Baltic region have increasingly focused on undermining critical infrastructure and national security through state-sponsored data breaches and disruptive attacks. Russian state-sponsored actors have long used the area as a testing ground for politically motivated cyber warfare. One of the most famous historical examples occurred in 2007, when Estonia was hit by massive, coordinated Distributed Denial of Service (DDoS) attacks that crippled government, banking, and media websites for weeks following a dispute with Moscow over the relocation of a Soviet-era war memorial. Over the years, these tactics evolved from blunt-force disruption to highly sophisticated cyber espionage campaigns. Groups like APT28 (Fancy Bear) and Sandworm – both tied to Russian military intelligence – consistently targeted Baltic government networks, energy grids, and defense ministries to gather intelligence and maintain a persistent backdoor into EU and NATO border states.
Payload Ransomware Impacts a Transportation and Logistics Company from Singapore
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Singapore was compromised by Payload Ransomware. The compromised company is a supply chain management service provider that specializes in international and domestic multimodal transportation and warehousing, airside logistics services, air cargo general sales and marketing for international airlines, and more. The company is headquartered in Singapore. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the data compromised is approximately 1 GB.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Payload Ransomware is a financially motivated cybercriminal operation that employs double-extortion tactics, combining data exfiltration with file encryption to maximize pressure on victims. The group demonstrates the ability to compromise enterprise environments through a range of intrusion methods, including credential theft, phishing campaigns, and the exploitation of vulnerable internet-facing systems. Payload operators conduct extensive post-compromise activities, such as reconnaissance, privilege escalation, lateral movement, and data theft, before deploying ransomware. Their targeting of organizations across multiple industries and geographic regions highlights a broad operational scope and a persistent threat to enterprise networks. These capabilities make Payload Ransomware a significant cybersecurity risk, particularly for organizations with inadequate security monitoring, weak access controls, or limited incident response preparedness.
The Gentlemen Ransomware Impacts a Manufacturing Company from Japan
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Japan was compromised by The Gentlemen Ransomware. The compromised company is a prestigious Japanese glass packaging manufacturer established in 1943 and headquartered in Tokyo. It specializes in high-end glass containers for cosmetics, fragrance, and pharmaceuticals, delivering end-to-end solutions: design, production, decoration, and innovative antibacterial “Million Guard” technology. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Nx Console VSCode Extension
Relevancy & Insights:
The vulnerability exists due to the presence of a malicious functionality in the application code (aka backdoor).
Impact:
It allows a remote attacker to gain unauthorized access to the application.
The affected version was compromised on May 19, 2026, and was distributed through the Visual Studio Marketplace for around 18 minutes and around 36 minutes through OpenVSX.
Affected Products:
https[:]//github[.]com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in the Nx Console VSCode Extension introduces significant risks to software development environments that rely on Visual Studio Code extensions for application development and workflow automation. As developer tools often possess access to source code repositories, credentials, build pipelines, and sensitive project data, exploitation of this vulnerability could enable attackers to compromise development systems and introduce malicious code into software supply chains. Organizations leveraging developer productivity tools must ensure timely remediation, verify extension integrity, and continuously monitor development environments for suspicious activity. Addressing this vulnerability is essential to maintaining the integrity of software development processes and protecting enterprise software supply chains from compromise.
SafePay Ransomware attacked and published the data of a Construction company from Japan
Summary:
Recently, we observed that SafePay Ransomware attacked and published the data of a construction company from Japan on its dark web website. The compromised company is a Japanese construction-related service company specializing in the repair, restoration, and repainting of damaged architectural materials and building components. Founded in 1988 and headquartered in Osaka, the company operates multiple regional offices across Japan, including Tokyo, Yokohama, Nagoya, Sendai, and Fukuoka. Its core business focuses on repairing scratches, dents, corrosion, and aging damage affecting aluminium, steel, stainless steel, wood, and resin-based construction materials. The company provides restoration services for both residential and commercial buildings, working closely with major Japanese construction and housing corporations. Based on the exposed directory listing shown in the image, the ransomware incident appears to have resulted in the compromise and public exposure of a significant volume of organizational data, including multiple backup database files (.bak) exceeding several gigabytes in size, administrative directories, user account folders, shared network repositories, backup storage locations, and publicly accessible file repositories. The leaked structure suggests unauthorized access to enterprise systems containing operational databases, user and administrator accounts, shared corporate resources, backup archives, and potentially sensitive business information. The presence of numerous database backup files indicates that critical organizational records—such as customer information, employee data, financial records, transactional data, internal documents, configuration files, and other business-critical datasets—may have been exposed.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, SafePay represents a sophisticated, fast-moving ransomware threat capitalizing on VPN weaknesses and credential theft, employing effective double extortion tactics to maximize ransom payments. Organizations, especially in highly targeted sectors and regions, must prioritize layered defenses and active hunting for early detection.
Business Contact Database Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum advertising the sale of a business contact database allegedly associated with a Thailand-based home improvement, interior design, gardening, and lifestyle media platform. The forum post claims that the dataset contains extensive business and operational information collected from organizations operating within the home improvement and related commercial sectors.
According to the information presented in the forum listing, the dataset is advertised as approximately 413 KB in size and is described as containing multiple categories of business-related information. The seller claims that the data is organized into several interconnected sections and includes sample records as proof of possession. The Asking price for data is $1300.
Based on the details provided in the advertisement, the allegedly exposed dataset may contain the following information:
The forum post further indicates that the dataset is structured into three primary categories consisting of contact information, financial records, and business documentation. The seller also references downloadable sample files purportedly demonstrating the nature and authenticity of the advertised data.
If verified, the exposure of such information could present significant risks to affected organizations and individuals. Threat actors could potentially leverage the disclosed contact details for phishing campaigns, business email compromise (BEC) attempts, social engineering attacks, targeted fraud, and unauthorized business intelligence gathering. The inclusion of financial and operational information may further increase the risk of corporate espionage, financial scams, and reputational harm.
This incident highlights the ongoing risks associated with the unauthorized exposure of business databases and corporate information repositories. Organizations that maintain large volumes of customer, partner, and operational data should implement robust access controls, data protection mechanisms, continuous monitoring, and proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents.
The authenticity of the alleged database remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor is assessed to be an active and capable cybercriminal entity involved primarily in data breach and leak operations. Multiple credible indicators associate the actor with incidents involving unauthorized access to organizational systems, followed by the publication, sale, or distribution of stolen data on underground forums. These activities reflect the increasing sophistication and persistence of cyber threats emerging from organized cybercriminal ecosystems, emphasizing the need for organizations to strengthen their security posture through continuous monitoring, enhanced threat intelligence capabilities, and proactive cybersecurity measures to safeguard sensitive data and critical assets.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a customer database allegedly associated with a Taiwan-based e-commerce platform. The forum post claims that the dataset contains a substantial volume of customer, support, and transaction-related information collected through the organization’s online retail operations.
According to the information presented in the advertisement, the dataset is reportedly organized into multiple interconnected sections and includes customer contact records, support ticket information, and order transaction data. The seller claims that the information is recent and provides sample records to demonstrate the alleged authenticity of the dataset. The asking price for data is $1200.
Based on the details shared in the forum post, the exposed information may include:
Customer Contact Information
Customer Support Records
Order and Transaction Information
If verified, the exposure of such information could pose significant security and privacy risks to affected customers and organizations. Personal information combined with order history and support records could be leveraged to conduct phishing campaigns, business email compromise attempts, account takeover attacks, identity fraud, and other forms of social engineering. Additionally, transaction and operational data may provide valuable intelligence for cybercriminals seeking to conduct targeted fraud or financial scams.
This incident highlights the ongoing cybersecurity challenges faced by organizations operating large-scale online commerce platforms that process customer information, support interactions, and financial transactions. The alleged exposure underscores the importance of implementing strong access controls, database security mechanisms, encryption, continuous monitoring, and proactive threat intelligence capabilities to safeguard sensitive business and customer information.
The authenticity of the alleged database remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
