CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Introduction:
CYFIRMA Research and Advisory Team has found QV Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
QV Ransomware
Researchers identified QV ransomware as a Windows-targeting ransomware strain that encrypts victim files and appends a compound extension containing the attackers’ contact email address, a victim-specific ID, and the “.Qv” extension. Analysis indicates that the malware encrypts file data using AES-256 in CBC mode and encrypts the corresponding symmetric key with an RSA-2048 public key. The ransomware also establishes persistence through a newly installed Windows service with a randomized name and a scheduled task triggered at user logon. Additionally, the source code contains functionality for targeting ESXi environments and encrypting virtual machines stored on attached datastores.
Screenshot: File encrypted by ransomware (Source: Surface Web)
Following encryption, QV ransomware creates a text file named “Qv Ransomware.txt” containing instructions for affected users. The note states that the system is “not protected” and claims that the operators can restore encrypted files. As a demonstration, the attackers offer to decrypt a single file at no cost before further communication. The message directs victims to contact the threat actors through the provided communication channels, warns against using free file-unlocking tools, and includes a decryption identifier associated with the affected system.
Screenshot: The appearance of QV’s Ransom Note (Source: Surface Web)
The following are the TTPs based on the MITRE ATT&CK Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Credential Access | T1056 | Input Capture |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Collection | T1056 | Input Capture |
| Collection | T1074 | Data Staged |
| Command and Control | T1071 | Application Layer Protocol |
| Impact | T1485 | Data Destruction |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1490 | Inhibit System Recovery |
| Stealth | T1014 | Rootkit |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1036 | Masquerading |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1134 | Access Token Manipulation |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1542.003 | Pre-OS Boot: Bootkit |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Defense Impairment | T1222 | File and Directory Permissions Modification |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analysis indicates the current ransomware landscape is characterized by the widespread use of strong cryptographic algorithms, automated deployment techniques, and multi-stage attack workflows. Modern ransomware families commonly encrypt files using hybrid encryption schemes that combine symmetric and asymmetric cryptography, while also incorporating persistence mechanisms, data theft capabilities, and support for multiple operating environments, such as Windows, Linux, and virtualized infrastructures. Threat actors increasingly operate through organized ransomware-as-a-service (RaaS) models, enabling affiliates to conduct attacks at scale and target organizations across diverse sectors.
Future ransomware development is expected to focus on broader platform coverage, greater automation, and deeper integration with enterprise environments. Emerging variants may expand support for cloud-hosted resources, virtual machines, network-attached storage, and other interconnected systems. Ransomware operators are also likely to continue refining evasion techniques, attack orchestration, and victim management processes to improve operational efficiency. As organizations adopt new technologies and infrastructure models, ransomware development is expected to evolve accordingly, with threat actors adapting their tools to target a wider range of digital assets and environments.
Sigma Rules:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’
selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Information Stealer| Objectives: Data Exfiltration | Target Technology: Windows OS| Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “DocSaStealer” Stealer is in focus.
Overview of Operation DocSaStealer Malware
The analyzed DocSaStealer sample exhibits characteristics consistent with a sophisticated Windows-based malware threat engineered to establish execution within a compromised environment while maintaining a low operational profile. The malware leverages legitimate Windows processes, system libraries, and native operating system functionality to blend malicious activity with normal system operations, thereby reducing the likelihood of immediate detection by users and security monitoring solutions. Its execution behavior reflects a deliberate emphasis on stealth, enabling the malware to operate discreetly while preparing the host system for subsequent malicious activities.
Behavioral analysis indicates extensive interaction with critical system components, including processes, registry locations, and core Windows libraries. The malware demonstrates capabilities associated with process manipulation, execution-flow hijacking, and host reconnaissance, suggesting an objective of obtaining deeper system access and collecting environmental intelligence before initiating additional stages of operation. Furthermore, the presence of anti-analysis mechanisms and sandbox-evasion techniques highlights a design focused on circumventing automated detection platforms and complicating forensic examination efforts.
The malware also exhibits command-and-control communication functionality, providing operators with the ability to interact with compromised systems and potentially deliver additional payloads or instructions. Combined with its stealth-oriented execution methods and reconnaissance capabilities, these behaviors indicate a flexible and adaptable threat framework capable of supporting a broad range of malicious objectives.
Overall, DocSaStealer represents a significant security concern due to its combination of evasive techniques, system discovery functions, and remote communication capabilities. Although the analyzed execution chain does not explicitly reveal the malware’s final objective, the observed behaviors are consistent with a threat designed to facilitate further compromise, data collection, or additional malicious operations within the affected environment. Any detection of similar activity should be treated as a potential indicator of compromise and investigated thoroughly to determine the scope and impact of the intrusion.
Attack Method
The attack sequence begins with the execution of the malware sample within the target environment, after which it initiates a series of interactions with critical Windows operating system components. During the initial execution phase, the malware loads multiple legitimate system libraries associated with networking, cryptographic operations, process management, and user interface functionality. By utilizing trusted operating system resources rather than relying on externally delivered modules, the malware minimizes suspicious activity and blends its operations with legitimate system processes, thereby reducing the likelihood of detection.
Following successful execution, the malware performs extensive host reconnaissance and environment assessment activities. Analysis indicates that the sample accesses numerous registry locations related to system configuration, execution policies, application compatibility settings, language resources, and security controls. In parallel, it conducts process enumeration and gathers system-specific information to identify characteristics of the infected host. These discovery activities enable the malware to obtain situational awareness of the environment and determine the most appropriate execution path for subsequent stages of the attack.
The malware further employs techniques associated with process manipulation and execution-flow abuse to facilitate stealthy operation. Observed behavior suggests the use of process injection and execution of hijacking mechanisms, allowing malicious code to execute within the address space of legitimate processes. This approach enables the malware to conceal its activities, inherit trusted process attributes, and evade security solutions that rely on conventional process-monitoring techniques. Additionally, the malware utilizes dynamically loaded modules and runtime code execution methods, providing flexibility to deploy malicious functionality without exposing all operational capabilities within the initial executable.
To enhance operational resilience, malware incorporates several defense-evasion and anti-analysis mechanisms throughout its lifecycle. These include obfuscated code structures, concealed execution logic, and virtualization-awareness techniques designed to identify sandboxed or analysis environments. Such capabilities allow the malware to limit or modify its behavior when executed under observation, thereby complicating forensic investigation and automated detection efforts. Furthermore, the malware establishes application-layer communication channels that may be used to receive instructions, exchange information, or facilitate the delivery of additional payloads. Collectively, these capabilities demonstrate a structured and stealth-oriented attack methodology designed to maintain persistence, evade detection, and support a wide range of follow-on malicious activities.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Execution | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1055 | Process Injection |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1055 | Process Injection |
| Stealth | T1497 | Virtualization/Sandbox Evasion |
| Stealth | T1574 | Hijack Execution Flow |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Command and control | T1071 | Application Layer Protocol |
INSIGHTS
ETLM ASSESSMENT
From a future threat landscape perspective, malware families exhibiting characteristics like DocSaStealer are expected to present increasing challenges for organizations as adversaries continue to refine their ability to operate discreetly within enterprise environments. The growing use of stealth-oriented techniques and trusted system resources may result in longer periods of undetected activity, potentially increasing organizational exposure to unauthorized access, information compromise, and operational disruption. For employees, future threats of this nature may become more difficult to recognize through conventional warning signs, as malicious activity increasingly blends with legitimate business processes and routine system operations. Consequently, organizations may face greater complexity in maintaining visibility across their environments, while the overall impact of successful compromises could extend beyond individual systems to affect broader business operations, data security, and organizational resilience.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule DocSaStealer_Malware_Detection
{
meta:
description = “Detects DocSaStealer malware and related variants using behavioral and host-based indicators”
author = “CYFIRMA” date = “2026-06-09”
malware_family = “DocSaStealer”
strings:
/* Process Execution Artifacts */
$proc1 = “wmiadap.exe”
$proc2 = “WerSvcGroup”
$proc3 = “svchost.exe -k WerSvcGroup”
/* Discovery Activities */
$disc1 = “Process Discovery”
$disc2 = “System Information Discovery”
/* Defense Evasion Indicators */
$ev1 = “Virtualization/Sandbox Evasion”
$ev2 = “Obfuscated Files or Information”
$ev3 = “Hijack Execution Flow”
$ev4 = “Process Injection”
/* Registry Artifacts */
$reg1 = “Image File Execution Options”
$reg2 = “CurrentVersion\\Policies\\Explorer”
$reg3 = “CurrentControlSet\\Control\\Session Manager”
$reg4 = “Software\\Microsoft\\OLE”
$reg5 = “Software\\Microsoft\\Rpc”
$reg6 = “Microsoft\\CTF\\Compatibility”
/* Loaded Modules */
$mod1 = “bcryptprimitives.dll”
$mod2 = “ws2_32.dll”
$mod3 = “winmm.dll”
$mod4 = “ntdll.dll”
$mod5 = “SspiCli.dll”
/* Command & Control Indicators */
$c2_1 = “Application Layer Protocol”
$c2_2 = “ws2_32.dll”
/* Sample SHA256 */
$hash1 = “eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d”
condition:
uint16(0) == 0x5A4D and (
$hash1 or (
3 of ($proc*) and 2 of ($reg*) and 2 of ($mod*)
) Or
(
2 of ($ev*) and 1 of ($disc*) and 1 of ($c2_*)
)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Image File Execution Options, Policies\Explorer, and Session Manager.
UNC5221: A Deep Dive into Enterprise Intrusions and Cloud Account Compromise Operations
About the Threat Actor
UNC5221, also known as Silk Typhoon and Hafnium, is a China-linked state-sponsored APT group with a history of conducting cyber-espionage operations in North America.
The group has been observed exploiting vulnerabilities in internet-facing servers to gain initial access and leveraging legitimate open-source command-and-control frameworks such as Covenant for post-compromise operations and persistence. Once access is established, UNC5221 has exfiltrated sensitive data to file-sharing platforms like MEGA. Microsoft has also reported reconnaissance activity against Office 365 environments, suggesting efforts to map and assess targets even in cases where full compromise is not achieved.
It is also suspected that Silk Typhoon (UNC5221 / Hafnium) may have operational overlap or links with the nation-state threat actor APT41.
Details on Exploited Vulnerabilities
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1592.004 | Gather Victim Host Information: Client Configurations |
| Reconnaissance | T1590 | Gather Victim Network Information |
| Reconnaissance | T1590.005 | Gather Victim Network Information: IP Addresses |
| Reconnaissance | T1593.003 | Search Open Websites/Domains: Code Repositories |
| ResourceDevelopment | T1583.003 | Acquire Infrastructure: Virtual Private Server |
| ResourceDevelopment | T1583.005 | Acquire Infrastructure: Botnet |
| ResourceDevelopment | T1583.006 | Acquire Infrastructure: Web Services |
| ResourceDevelopment | T1584.005 | Compromise Infrastructure: Botnet |
| Initial Access | T1199 | Trusted Relationship |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Initial Access | T1078.003 | Valid Accounts: Local Accounts |
| Initial Access | T1078.004 | Valid Accounts: Cloud Accounts |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Persistence | T1136.002 | Create Account: Domain Account |
| Persistence | T1098 | Account Manipulation |
| Persistence | T1078.003 | Valid Accounts: Local Accounts |
| Persistence | T1505.003 | Server Software Component: Web Shell |
| Persistence | T1078.003 | Valid Accounts: Local Accounts |
| Persistence | T1078.004 | Valid Accounts: Cloud Accounts |
| PrivilegeEscalation | T1078.003 | Valid Accounts: Local Accounts |
| PrivilegeEscalation | T1078.004 | Valid Accounts: Cloud Accounts |
| PrivilegeEscalation | T1098 | Account Manipulation |
| PrivilegeEscalation | T1068 | Exploitation for Privilege Escalation |
| Stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Stealth | T1218.011 | System Binary Proxy Execution: Rundll32 |
| Stealth | T1078.003 | Valid Accounts: Local Accounts |
| Stealth | T1078.004 | Valid Accounts: Cloud Accounts |
| DefenseImpairment | T1685.005 | Disable or Modify Tools: Clear Windows Event Logs |
| CredentialAccess | T1110.003 | Brute Force: Password Spraying |
| CredentialAccess | T1555.006 | Credentials from Password Stores: Cloud Secrets Management Stores |
| CredentialAccess | T1003.001 | OS Credential Dumping: LSASS Memory |
| CredentialAccess | T1003.003 | OS Credential Dumping: NTDS |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1018 | Remote System Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| LateralMovement | T1550.001 | Use Alternate Authentication Material: Application Access Token |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1119 | Automated Collection |
| Collection | T1530 | Data from Cloud Storage |
| Collection | T1213.002 | Data from Information Repositories: Sharepoint |
| Collection | T1005 | Data from Local System |
| Collection | T1114.002 | Email Collection: Remote Email Collection |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Latest Developments Observed
The threat actor is observed exploiting network edge appliances to gain access to enterprise environments and compromise Microsoft 365 accounts, primarily targeting organizations in the United States. The campaign involves the deployment of the Brickstorm backdoor, with attackers leveraging a compromised Egnyte Storage Sync virtual machine as a proxy to blend malicious activity with legitimate network traffic and evade detection. Based on the observed activity, the primary objective of the campaign appears to be the exfiltration of sensitive information and the maintenance of persistent access for intelligence-gathering purposes.
ETLM Insights
UNC5221, also tracked as Silk Typhoon and Hafnium, is a China-nexus state-linked advanced persistent threat (APT) group primarily assessed to be engaged in cyber-espionage activities. The group exhibits a mature and evolving operational tradecraft that emphasizes stealth, opportunistic exploitation of internet-facing systems, and persistent access across both on-premises and cloud environments, thereby strengthening its intelligence collection capabilities.
The threat actor predominantly gains initial access by exploiting vulnerabilities in exposed enterprise infrastructure, followed by leveraging legitimate tools and open-source frameworks to blend into routine administrative activity. This approach supports sustained persistence while reducing forensic visibility and limiting detection opportunities.
The actor also demonstrates notable cloud-focused reconnaissance, particularly through engagement with Microsoft Office 365 environments. Even when these activities do not result in full compromise, they reflect deliberate efforts to map identity structures and tenant configurations for potential future access. Post-compromise behavior remains low-noise, with selective data exfiltration conducted via external file-sharing services, enabling discreet and sustained operational control.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
YARA Rules
rule UNC5221_Artifact_Cluster_Detection
{
meta:
description = “Detection rule based on observed CVEs, IPs, domains, and binaries linked to UNC5221 activity cluster”
author = “CYFIRMA” tlp = “white”
type = “malware / intrusion artifacts correlation” severity = “high”
strings:
// Exploitation CVEs
$cve1 = “CVE-2021-26858”
$cve2 = “CVE-2021-26857”
$cve3 = “CVE-2021-26855”
$cve4 = “CVE-2020-0688”
$cve5 = “CVE-2025-3928”
// Infrastructure domains
$d1 = “remotewd.com”
$d2 = “soundsgroovybox.com”
$d3 = “dattolocal.net”
// IP infrastructure
$ip1 = “194.48.199.121”
$ip2 = “124.89.118.2”
$ip3 = “124.89.89.153”
$ip4 = “120.25.235.212”
$ip5 = “171.25.193.81”
// Payload / binaries
$f1 = “irs.exe”
$f2 = “c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3”
// Web / JS exploitation artifacts
$js1 = “constructor.name”
$js2 = “toString.call”
condition: (
// Strong cluster correlation logic 2 of ($cve*) and
1 of ($ip*) and 1 of ($d*) and 1 of ($f*)
)
or (
// Web exploit / script-based detection fallback any of ($js*) and
1 of ($d*) and 1 of ($ip*)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Five Eyes Warns of Chinese Spies Using LinkedIn to Target Officials
The Five Eyes intelligence alliance has issued a rare joint advisory warning that Chinese intelligence operations are using LinkedIn and other professional networking platforms to target government, military, and civilian personnel. According to the alert, Chinese intelligence officers disguise themselves as recruiters, think tank employees, or consultants to post fake job advertisements for foreign policy and defense analysts.
Once applicants are hired, they are pressured to supply non-public military, political, and economic intelligence to benefit the Chinese government. The coordinated warning – issued by the FBI, MI5, and their counterparts in Australia, Canada, and New Zealand – marks the first time these agencies have united to address espionage threats on professional networking sites.
ETLM Assessment:
Armed with massive databases from breaches (like OPM and Marriott hotels), the Ministry of State Security moved to LinkedIn, where operatives create fake, highly polished profiles pretending to be headhunters, private corporate consultancies, or international think tanks. They approach mid-level Western officials, military officers, or policy analysts offering thousands of dollars for “academic papers” or “market research briefings.” The targets start thinking they are doing legitimate, legal freelance consulting. But slowly, the handler asks for “non-public” information, gradually compromising the target until they are trapped in an espionage relationship. In recent years, MI5 warned that Chinese state actors had attempted to approach over 20,000 British nationals on LinkedIn alone, targeting individuals in defense, tech, and parliament. This evolution is exactly what triggered the unprecedented, joint “Five Eyes” advisory.
Chinese Threat Actors Target Taiwan and the Czech Republic
Security researchers have exposed a Chinese state-sponsored cyber espionage campaign targeting critical sectors in Taiwan and the Czech Republic. Named “Operation Dragon Weave,” the campaign uses spear-phishing tactics to steal data from government entities, academic institutions, technology firms, and financial organizations.
The attacks begin with an email carrying a malicious zip file, disguised as everyday business matters or local government appointments. The campaign is structurally unique because it features a “double whammy” deployment process: users can trigger the infection either by clicking a shortcut file (LNK) or running an embedded Rust-based dropper executable.
Once inside, the malware deploys a loader called Rustcloak, which cleverly scans the system to see if it is running in an analyst’s sandbox environment; if it smells a trap, it shuts down to avoid detection. If the coast is clear, it drops Azureveil, a command-and-control agent that uses Microsoft Azure Blob Storage as a “dead-drop” location. Because the hackers and the infected computer never talk to each other directly, instead just leaving encrypted messages and stolen data inside an Azure cloud container, the operation is incredibly difficult for traditional network security to flag.
ETLM Assessment:
The inclusion of the Czech Republic highlights growing geopolitical tensions. While China’s espionage focus on Taiwan is long-standing, its targeting of the Czech Republic stems from shifting geopolitics. According to ESET threat analyst Alexis Rapin, the Czech Republic’s strong alliance with Taiwan and its criticism of China’s support for Russia have turned it into a primary European intelligence priority for Beijing. Telemetry shows a notable spike in Chinese APT activity targeting the Czech government and academic institutions beginning in 2023.
Payload Ransomware Impacts a Manufacturing Company from Vietnam
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Vietnam was compromised by Payload Ransomware. The compromised company is a global textile manufacturer specializing in knit apparel production and export. The company serves markets in the United States, Europe, and Japan with operations across Asia and Central America. As a B2B enterprise, it maintains manufacturing facilities and warehouses to support its international textile business. The company focuses on business integrity as a core value while maintaining a presence in both Asian and North American markets. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the data compromised is approximately 560 GB.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Payload Ransomware is a financially motivated cybercriminal operation that employs double-extortion tactics, combining data exfiltration with file encryption to maximize pressure on victims. The group demonstrates the ability to compromise enterprise environments through a range of intrusion methods, including credential theft, phishing campaigns, and the exploitation of vulnerable internet-facing systems. Payload operators conduct extensive post-compromise activities, such as reconnaissance, privilege escalation, lateral movement, and data theft before deploying ransomware. Their targeting of organizations across multiple industries and geographic regions highlights a broad operational scope and a persistent threat to enterprise networks. These capabilities make Payload Ransomware a significant cybersecurity risk, particularly for organizations with inadequate security monitoring, weak access controls, or limited incident response preparedness.
The Gentlemen Ransomware Impacts a manufacturing company from Thailand
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Thailand was compromised by The Gentlemen Ransomware. The Company is one of the largest wood-based panel manufacturers in Thailand and Southeast Asia, boasting over 70 years of industry experience. The company specializes in producing a comprehensive range of engineered wood products, including particle board, MDF, plywood, hardboard, and doors. Utilizing reliable automated technology, it is recognized as a regional leader in delivering world-class quality wood substitutes and building materials. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Docker Desktop
Relevancy & Insights:
The vulnerability exists due to uncontrolled recursion within the grpcfuse kernel module.
Impact:
A local user can cause a denial-of-service condition on the target system.
Affected Products:
https[:]//docs[.]docker[.]com/desktop/release-notes/#4760
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Docker Desktop introduces significant risks to organizations that rely on containerized application development, testing, and deployment workflows. As Docker Desktop is widely used by developers, DevOps teams, and enterprise engineering environments to build, run, and manage containerized applications, exploitation of this vulnerability could disrupt critical development operations and impact the availability of containerized services. Service disruptions affecting development platforms may result in delayed software delivery, reduced productivity, and operational challenges across software engineering teams. Organizations leveraging container-based development environments must ensure timely patching, continuous monitoring, and secure configuration practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the availability, stability, and security of modern application development ecosystems and containerized infrastructure environments.
World Leaks Ransomware attacked and published the data of a Construction & Engineering company from Thailand
Summary:
Recently, we observed that World Leaks Ransomware attacked and published the data of a Construction & Engineering company from Thailand on its dark web website. The compromised company specializes in engineering and construction, focusing on sustainable infrastructure development. Their services include mass rapid transit systems, airport construction, road and expressway development, energy projects, and water supply and harbor building. The company aims to serve clients involved in infrastructure investments and public utilities. The ransomware leak site indicates that approximately 870.4 GB of data comprising 567,640 files was allegedly compromised and exposed. The accessible directory structure suggests the data includes contents from multiple internal network shares and file servers, potentially containing corporate documents, project records, operational files, shared network resources, administrative data, and other business-related information stored across organizational file repositories. The presence of domain-linked folders and centralized file server directories indicates that a significant volume of internal enterprise data may have been accessed and exfiltrated during the incident.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, World Leaks Ransomware represents an emerging and adaptive threat within the cybersecurity landscape, particularly due to its focus on data exfiltration, double-extortion tactics, and targeting of organizations across multiple sectors. The group leverages sophisticated intrusion techniques and publicly exposes stolen data to increase pressure on victims, amplifying both financial and reputational damage. Organizations must strengthen their cybersecurity posture by implementing robust incident response strategies, enforcing strict access controls, and enhancing employee awareness to detect phishing and social engineering attempts. Continuous monitoring, timely patch management, and proactive threat intelligence are critical to mitigating risks and defending against the evolving tactics employed by World Leaks Ransomware.
Identity Verification Dataset Advertised on a Leak Site
Summary:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a dataset allegedly originating from a ride-hailing service operating in Saudi Arabia. The forum post claims that the dataset contains identity verification records associated with drivers registered on the platform. According to the advertisement, the exposed data includes multiple forms of identification and verification documents collected during the driver onboarding and account validation process.
The seller claims that each record includes multiple verified identity documents and supporting files used during the user verification and onboarding process. According to the advertisement, individual records are available for purchase at $5 per record, while the complete dataset is being offered for $10,000. Based on the information provided in the forum post, the allegedly exposed dataset may contain the following information:
According to the advertisement, the dataset allegedly contains approximately 51,268 files associated with nearly 12,817 driver records, with a reported total size of approximately
13.74 GB. The seller further indicates that sample records are available and that the complete dataset is being offered for sale.
If verified, the exposure of such information could create significant risks for affected individuals and organizations. Threat actors could potentially exploit the disclosed personal information to conduct identity theft, account takeover attacks, financial fraud, social engineering campaigns, SIM-swapping attacks, and other forms of cyber-enabled crime. The exposure of government-issued identification documents and vehicle registration information may further increase the likelihood of impersonation attempts and fraudulent account creation.
This incident highlights the ongoing risks associated with the unauthorized exposure of identity verification repositories and customer onboarding systems. Organizations that collect and store sensitive personal information should implement strong access controls, encryption mechanisms, continuous monitoring, data minimization practices, and proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents.
The authenticity of the alleged dataset remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a customer database allegedly associated with an Australia-based financial research and market analysis organization. The forum post claims that the dataset contains customer contact information and interaction records collected through the organization’s investment research platform and related services.
According to the information presented in the forum listing, the exposed data appears to contain customer profile details and communication records. The seller provides sample data as proof of possession and claims that the database includes information associated with approximately 2,900+ customers.
Based on the details provided in the advertisement, the allegedly exposed dataset may contain the following information:
The forum post suggests that the information originates from customer relationship management and communication systems used to manage client engagement and service delivery. Sample records displayed in the advertisement appear to contain personally identifiable information (PII) alongside operational metadata related to customer interactions.
If verified, the exposure of such information could present significant risks to affected individuals and organizations. Cybercriminals could potentially leverage the disclosed contact information to conduct phishing campaigns, business email compromise (BEC) attempts, social engineering attacks, identity-based fraud, and targeted investment scams. The availability of customer communication records and associated metadata may further increase the effectiveness of fraudulent schemes designed to impersonate legitimate financial service providers.
This incident highlights the ongoing risks associated with the unauthorized exposure of customer databases and client management systems within the financial services sector. Organizations handling investor information and customer records should implement robust access controls, continuous monitoring, data encryption, data loss prevention mechanisms, and proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents.
The authenticity of the alleged database remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
