Weekly Intelligence Report – 17 Jul 2026

Published On : 2026-07-17
Share :
Weekly Intelligence Report – 17 Jul 2026

Ransomware In Focus

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows

Introduction:
CYFIRMA Research and Advisory Team has found BL4CK SP1D3R Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

BL4CK SP1D3R Ransomware
Researchers identified BL4CK SP1D3R as ransomware after analyzing new malware samples. The threat encrypts files and appends the .bl4ck extension to affected filenames, preventing normal access to stored data. After completing encryption, it drops a ransom note named BL4CK_SP1D3R_README.txt, changes the desktop wallpaper, and instructs victims to locate R3ADM3.TXT within encrypted directories. The malware states that each victim’s data is encrypted with a unique key and displays a machine identifier for victim identification.

Screenshot: File encrypted by ransomware (Source: Surface Web)

The ransom note instructs victims to establish contact with the operators and provide the assigned machine ID to receive further payment and recovery instructions. It also claims that files were stolen before encryption, indicating a double-extortion approach that combines data theft with file encryption. Additionally, the note warns against renaming encrypted files, using third-party recovery utilities, or rebooting the system, claiming these actions could result in permanent data loss.

Screenshot: The appearance of BL4CK SP1D3R’s ransom note (BL4CK_SP1D3R_README.txt) (Source: Surface Web)

BL4CK SP1D3R leaves multiple indicators of compromise, including the .bl4ck file extension, the BL4CK_SP1D3R_README.txt ransom note, references to R3ADM3.TXT within encrypted folders, and a modified desktop wallpaper displaying the attackers’ message. These artifacts can assist incident responders in identifying affected systems, correlating the ransomware activity, and supporting forensic investigation during incident response.

Screenshot: The appearance of BL4CK SP1D3R’s wallpaper

The following are the TTPs based on the MITRE ATT&CK Framework

Tactic Technique ID Technique Name
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Persistence T1543.003 Create or Modify System Process: Windows Service
Privilege Escalation T1543.003 Create or Modify System Process: Windows Service
Discovery T1007 System Service Discovery
Discovery T1012 Query Registry
Discovery T1033 System Owner/User Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1135 Network Share Discovery
Discovery T1497.001 Virtualization/Sandbox Evasion: System Checks
Discovery T1518 Software Discovery
Collection T1074 Data Staged
Command and Control T1071 Application Layer Protocol
Impact T1489 Service Stop
Impact T1490 Inhibit System Recovery
Stealth T1027 Obfuscated Files or Information
Stealth T1070.004 Indicator Removal: File Deletion
Stealth T1202 Indirect Command Execution
Stealth T1497.001 Virtualization/Sandbox Evasion: System Checks
Stealth T1564.003 Hide Artifacts: Hidden Window
Defense Impairment T1222 File and Directory Permissions Modification

Relevancy and Insights:

  • The ransomware primarily targets the Windows operating system, leveraging native Windows utilities, services, registry settings, and filesystem APIs to execute its malicious activities. Its behavior indicates compatibility with enterprise and personal Windows environments.
  • Spreader Behavior: The ransomware enumerates local drives, removable media, and accessible network shares to identify additional storage locations for encryption. By traversing connected resources and shared directories, it increases the scope of infection and maximizes the overall impact of the attack.
  • File Discovery: The ransomware performs extensive file and directory discovery by scanning available drives and user-accessible locations to identify files suitable for encryption. This reconnaissance enables the malware to selectively target valuable user and system data.
  • System Information Discovery: The ransomware gathers information about the infected system, including operating system characteristics, running processes, installed software, network configuration, and user details. This information helps the malware adapt its execution and optimize its attack against the compromised environment.
  • Network Share Discovery: The ransomware identifies accessible network shares and mapped storage resources to locate additional files beyond the local system. This capability enables the malware to affect shared organizational data and expand its impact across connected devices.
  • Detect-Debug Environment: The ransomware incorporates anti-analysis techniques to determine whether it is executing inside a sandbox, virtual machine, or debugging environment. By invoking functions such as IsDebuggerPresent, monitoring execution timing, and inspecting system characteristics, the malware can delay, modify, or terminate its execution to evade behavioral analysis.
  • Long Sleep Delays: The ransomware implements extended sleep intervals during execution as an anti-analysis technique. These intentional delays reduce the likelihood of exposing malicious behavior within automated sandbox environments that monitor processes for only a limited period.

ETLM Assessment:

CYFIRMA assesses that BL4CK SP1D3R currently combines file encryption with claimed data exfiltration, reflecting the ongoing evolution of ransomware beyond simple file-locking attacks. Modern ransomware campaigns increasingly rely on double-extortion techniques that encrypt data while simultaneously collecting sensitive information to increase pressure on victims. As ransomware operations continue to mature, future variants are expected to improve automation across different stages of an attack, including victim profiling, data collection, encryption workflows, and post-encryption communication, making incidents more coordinated and operationally efficient.

The ransomware already employs multiple mechanisms to notify victims, including modified file extensions, ransom notes, desktop wallpaper changes, and folder-specific recovery instructions. Future developments are likely to expand these capabilities by introducing stronger anti-analysis and defense-evasion techniques, broader targeting of network-connected storage, virtualized environments, and backup repositories, as well as more sophisticated methods for maintaining access during an intrusion. Ransomware operators are also expected to continue integrating encryption, data theft, and automated deployment into a unified attack chain, increasing the complexity of incident response and forensic investigations while reducing the time required to execute large-scale compromises.

Sigma rule:

title: System File Execution Location Anomaly
description:
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
tags:
– attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
– ‘\atbroker.exe’
– ‘\audiodg.exe’
– ‘\bcdedit.exe’
– ‘\bitsadmin.exe’
– ‘\certreq.exe’
– ‘\certutil.exe’
– ‘\cmstp.exe’
– ‘\conhost.exe’
– ‘\consent.exe’
– ‘\cscript.exe’
– ‘\csrss.exe’
– ‘\dashost.exe’
– ‘\defrag.exe’
– ‘\dfrgui.exe’ # Was seen used by Lazarus Group – https://asec.ahnlab.com/en/39828/
– ‘\dism.exe’
– ‘\dllhost.exe’
– ‘\dllhst3g.exe’
– ‘\dwm.exe’
– ‘\eventvwr.exe’
– ‘\fsquirt.exe’ # was seen used by sidewinder APT – https://securelist.com/sidewinder-apt/114089/
– ‘\finger.exe’
– ‘\logonui.exe’
– ‘\LsaIso.exe’
– ‘\lsass.exe’
– ‘\lsm.exe’
– ‘\msiexec.exe’
– ‘\ntoskrnl.exe’
– ‘\powershell_ise.exe’
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\regsvr32.exe’
– ‘\rundll32.exe’
– ‘\runonce.exe’
– ‘\RuntimeBroker.exe’
– ‘\schtasks.exe’
– ‘\services.exe’
– ‘\sihost.exe’
– ‘\smartscreen.exe’
– ‘\smss.exe’
– ‘\spoolsv.exe’
– ‘\svchost.exe’
– ‘\taskhost.exe’
– ‘\taskhostw.exe’
– ‘\Taskmgr.exe’
– ‘\userinit.exe’
– ‘\werfault.exe’
– ‘\werfaultsecure.exe’
– ‘\wininit.exe’
– ‘\winlogon.exe’
– ‘\winver.exe’
– ‘\wlanext.exe’
– ‘\wmic.exe’
– ‘\wscript.exe’
– ‘\wsl.exe’
– ‘\wsmprovhost.exe’ # Was seen used by Lazarus Group –
filter_main_generic:
Image|startswith:
– ‘C:\$WINDOWS.~BT\’
– ‘C:\$WinREAgent\’
– ‘C:\Windows\SoftwareDistribution\’
– ‘C:\Windows\System32\’
– ‘C:\Windows\SystemTemp\’
– ‘C:\Windows\SysWOW64\’
– ‘C:\Windows\uus\’
– ‘C:\Windows\WinSxS\’
filter_optional_system32:
Image|contains: ‘\SystemRoot\System32\’
filter_main_powershell:
Image|contains:
– ‘C:\Program Files\PowerShell\7\’
– ‘C:\Program Files\PowerShell\7-preview\’
– ‘C:\Program Files\WindowsApps\Microsoft.PowerShellPreview’
– ‘\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview’ # pwsh installed from Microsoft Store
Image|endswith: ‘\pwsh.exe’
filter_main_wsl_programfiles:
Image|startswith:
– ‘C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux’
– ‘C:\Program Files\WSL\’
Image|endswith: ‘\wsl.exe’
filter_main_wsl_appdata:
Image|startswith: C:\Users\’
Image|contains: ‘\AppData\Local\Microsoft\WindowsApps\’
Image|endswith: ‘\wsl.exe’
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
– Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
(Source: Surface Web)

IOCs:

Kindly refer to the IOCs section to exercise control of your security systems (Source: Surface Web)

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

 MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) If there is a requirement to inform the local authority.
  • To reduce the risk of credentials being compromised, enable multifactor authentication (MFA) and zero-trust architecture.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Ensure that all applications and software are consistently maintained by deploying the most recent releases and applying available security updates and patches in a timely manner.
  • Incorporate the Sigma rule for threat detection and monitoring, which will assist in identifying and tracking suspicious activity as well as detecting anomalies in log events.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Focus Malware of the Week

Type: Banking Trojan
Objectives: Credential Theft
Target Technology: Android
Target Geography: Global

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “GoldDigger” Android Malware is in focus.

Overview of Operation GoldDigger Android Malware

The analyzed GoldDigger Android malware is a sophisticated mobile threat designed to compromise Android devices and collect sensitive user information. By masquerading as a legitimate application, it deceives users into granting extensive permissions that enable unauthorized access to valuable device resources. Its primary objective is to facilitate financial fraud, credential theft, and long-term access to infected devices while remaining difficult for users to identify.

The malware demonstrates a broad range of capabilities that support surveillance and information theft. It can gather personal and device-related data, monitoring user activity, and interacting with sensitive system features to obtain information that can be exploited by threat actors. These capabilities indicate that the malware is intended to maximize the amount of valuable data collected from each compromised device.

The application also incorporates multiple techniques to reduce the likelihood of detection and maintain its presence on infected systems. Its use of code protection, persistence mechanisms, and concealed communication methods reflects a mature and well-developed malware framework that has been designed to operate discreetly while supporting remote attacker objectives.

Overall, GoldDigger represents a significant threat to both individual users and organizations due to its focus on financial theft and unauthorized access to sensitive information. The malware highlights the growing sophistication of Android-based threats and reinforces the importance of installing applications only from trusted sources, carefully reviewing requested permissions, and deploying mobile security solutions capable of detecting malicious behavior.

Attack Method
The GoldDigger Android malware is typically delivered as a seemingly legitimate application that persuades users to install it manually. Once executed, it requests an extensive set of permissions that grant access to sensitive device resources, including SMS messages, contacts, phone state, storage, location, camera, microphone, and accessibility services. By obtaining these privileges during installation or runtime, the malware establishes a foundation for extensive monitoring and control of the infected device.

Following successful installation, the malware leverages Android Accessibility Services and other privileged APIs to monitor user interactions, collect sensitive information, and facilitate unauthorized actions on behalf of the victim. It can harvest credentials, intercept messages, retrieving device information, monitoring clipboard contents, and collecting data from installed applications. The malware also maintains communication with remote command-and-control (C2) infrastructure, enabling operators to receive stolen information, issue commands, and update malicious functionality as required.

To improve its survivability, GoldDigger incorporates several defense-evasion and persistence mechanisms. The application utilizes code obfuscation to complicate reverse engineering, supports multiple processor architectures through bundled native libraries, and permits clear text network communication for interaction with external infrastructure. Additionally, numerous exported activities, services, broadcast receivers, and content providers increase the malware’s operational flexibility while enabling interaction with other applications and system components.

The overall attack methodology demonstrates a multi-stage infection strategy focused on credential theft, financial fraud, and persistent remote access. By combining excessive permission abuse, accessibility service exploitation, covert data collection, and continuous communication with attacker-controlled infrastructure, GoldDigger enables long-term surveillance of compromised devices while providing threat actors with the capability to expand their operations through additional commands or payloads.

Following are the TTPs based on the MITRE Attack Framework for Mobile

Tactic Technique Technique Name
Defense Evasion T1406 Obfuscated Files or Information
T1407 Download New Code at Runtime
T1632 Subvert Trust Controls
T1414 Clipboard Data
T1517 Access Notifications
Discovery T1420 File and Directory Discovery
T1421 System Network Connections Discovery
T1430 Location Tracking
T1418 Software Discovery
Collection T1636:003 Protected User Data: Contact List
T1636:004 Protected User Data: SMS Messages
T1512 Video Capture
T1513 Screen Capture
Command and Control T1437 Application Layer Protocol

INSIGHTS

  • The GoldDigger malware reflects the continued evolution of Android threats from simple information stealers into comprehensive tools capable of supporting multiple malicious objectives within a single infection. Rather than relying on a narrow set of functions, it integrates data collection, device monitoring, and remote interaction capabilities, highlighting the growing emphasis on maximizing the value of compromised mobile devices.
  • A notable characteristic of this malware is its reliance on deception instead of overtly disruptive behavior. By presenting itself as a legitimate application and operating discreetly after installation, it focuses on maintaining access to the device while collecting valuable information over time. This approach allows malicious activity to blend with normal device usage, making the compromise less apparent to the user.
  • The malware also demonstrates a level of operational maturity that extends beyond opportunistic attacks. Its structured design, broad functionality, and ability to interact with multiple components of the Android ecosystem indicate that it is intended for sustained malicious operations rather than isolated incidents. These characteristics underscore the increasing sophistication of mobile malware and the strategic importance of smartphones as targets for cybercriminal activities.

ETLM ASSESSMENT

For ETLM Perspective the increasing sophistication of Android malware such as GoldDigger indicates that mobile devices will continue to be a primary target for cybercriminals as organizations expand their reliance on mobile applications, remote work, and cloud-based services. As employees increasingly use smartphones to access corporate resources, authentication platforms, and financial applications, successful compromises of these devices could provide threat actors with opportunities to access sensitive business information and disrupt organizational operations.

The continued growth of mobile-centric attack campaigns is also expected to blur the boundaries between personal and enterprise security, as a single compromised device may expose both individual and corporate assets. This evolving threat landscape is likely to increase the operational impact of mobile malware on organizations by facilitating credential compromise, unauthorized access, and data exposure through trusted mobile ecosystems, making mobile security an increasingly important component of enterprise cyber resilience.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)

YARA Rule
rule ANDROID_GoldDigger_Banker_Infostealer
{
meta:
description = “Detects GoldDigger Android Banking Trojan / Infostealer”
author = “CYFIRMA”
date = “2026-07-14″

strings:

/* Sample SHA256 */
$hash = ” bba9bc21a322ea0e1737c5fa64057d12f133a3ebed6007ffed979b3d6099f6aa”

/* Android Manifest Indicators */
$manifest = “AndroidManifest.xml”
$apk = “classes.dex”

/* Dangerous Permissions */
$perm1 = “android.permission.BIND_ACCESSIBILITY_SERVICE”
$perm2 = “android.permission.RECEIVE_SMS”
$perm3 = “android.permission.READ_SMS”
$perm4 = “android.permission.SEND_SMS”
$perm5 = “android.permission.READ_CONTACTS”
$perm6 = “android.permission.READ_CALL_LOG”
$perm7 = “android.permission.RECORD_AUDIO”
$perm8 = “android.permission.CAMERA”
$perm9 = “android.permission.ACCESS_FINE_LOCATION”
$perm10 = “android.permission.READ_EXTERNAL_STORAGE”
$perm11 = “android.permission.WRITE_EXTERNAL_STORAGE”

/* Accessibility Abuse */
$acc1 = “AccessibilityService”
$acc2 = “BIND_ACCESSIBILITY_SERVICE”

/* Data Theft Indicators */
$ioc1 = “content://sms”
$ioc2 = “content://contacts”
$ioc3 = “content://call_log”
$ioc4 = “clipboard” ascii
$ioc5 = “getInstalledPackages”
$ioc6 = “TelephonyManager”
$ioc7 = “UsageStatsManager”

/* Network Indicators */
$http1 = “http://”
$http2 = “https://”

/* Native Libraries */
$lib1 = “lib/arm64-v8a/”
$lib2 = “lib/armeabi-v7a/”
$lib3 = “lib/x86/”
$lib4 = “lib/x86_64/”

condition:

uint32(0) == 0x04034B50 and
(
$hash or
(
$manifest and
$apk and
5 of ($perm*) and
3 of ($ioc*) and
any of ($acc*) and
any of ($lib*) and
any of ($http*)
)
)
}

Recommendations

Strategic Recommendations

  • Strengthen enterprise mobile security policies to regulate application installation and permission management.
  • Implement a comprehensive Mobile Threat Defense (MTD) solution to detect and mitigate Android malware.
  • Enforce Zero Trust principles for mobile device access to corporate applications and sensitive resources.
  • Conduct regular mobile security awareness training to educate users about malicious applications and social engineering tactics.
  • Integrate mobile security monitoring into the organization’s overall cybersecurity and incident response strategy.

 MANAGEMENT RECOMMENDATION

  • Restrict application installations to trusted sources such as official app stores and approved enterprise repositories.
  • Enforce Multi-Factor Authentication (MFA) for all corporate accounts accessed through mobile devices.
  • Deploy Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions to enforce security policies.
  • Establish continuous monitoring and incident reporting procedures for suspicious mobile device activity.
  • Ensure Android devices receive timely operating system and application security updates.

 TACTICAL RECOMMENDATION

  • Monitor for excessive permission requests, particularly those involving Accessibility Services, SMS, Contacts, Camera, Microphone, and Storage.
  • Detect and block communication with known malicious command-and-control (C2) infrastructure using network security controls.
  • Scan mobile devices regularly use reputable mobile security or endpoint protection solutions.
  • Review application behavior for unauthorized data collection, credential theft, and abuse of accessibility features.
  • Remove unauthorized or suspicious applications immediately and perform forensic analysis on affected devices to determine the extent of compromise.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Deadlock Ransomware, The Gentlemen Ransomware | Malware – GoldDigger
    • Deadlock Ransomware Ransomware – One of the ransomware groups.
    • The Gentlemen Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
    • Malware – GoldDigger
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Silver Fox: Evolving Malware Delivery and Persistent Intrusion Capabilities

  • Threat Actor: Silver Fox aka Void Arachne
  • Attack Type: Domain Impersonation, Malware Implant, SEO Poisoning, Spear-Phishing, Bring your own device (BYOD), Exploitation of Vulnerabilities, social Engineering.
  • Objective: Monetary Benefits, Cyber espionage, Identity theft, Credential compromise.
  • Suspected Target Technology: Sogou AI, Telegram, WPS Office, Youdao, and DeepSeek), Browsers, Social Media (Google Chrome, WatchDog Anti-malware, Windows, Zemana Anti-Malware SDK, Windows
  • Suspected Target Geography: Brunei, Cambodia, China, East Timor, Hong Kong, India, Indonesia, Japan, Laos, Malaysia, Myanmar, Philippines, Singapore, Taiwan, Thailand, Vietnam, Russia, South Africa.
  • Suspected Target Industries: Consulting, Critical Infrastructure, Defense, Education, Finance, Government, Manufacturing, Research, Retail, Telecommunications, Transportation, State-Owned Enterprises, Technology.
  • Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage

About the Threat Actor

Silver Fox is believed to have been active since at least 2019–2020 and has demonstrated a steady evolution in both its tooling and targeting strategies. The threat actor has exhibited increasingly aggressive operations while expanding its operational footprint across multiple countries in the Asia-Pacific (APAC) region.

TTPs based on MITRE ATT&CK Framework

Tactic ID Technique
Resource Development T1583.001 Acquire Infrastructure: Domains
Resource Development T1583.006 Acquire Infrastructure: Web Services
Initial Access T1189 Drive-by Compromise
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1204.002 User Execution: Malicious File
Execution T1053 Scheduled Task/Job
Execution T1129 Shared Modules
Execution T1569.002 System Services: Service Execution
Execution T1053.005 Scheduled Task/Job: Scheduled Task
Execution T1047 Windows Management Instrumentation
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1053.005 Scheduled Task/Job: Scheduled Task
Persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Privilege Escalation T1543.003 Create or Modify System Process: Windows Service
Privilege Escalation T1055 Process Injection
Privilege Escalation T1548 Abuse Elevation Control Mechanism
Privilege Escalation T1053.005 Scheduled Task/Job: Scheduled Task
Privilege Escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Stealth T1140 Deobfuscate/Decode Files or Information
Stealth T1036 Masquerading
Stealth T1055 Process Injection
Stealth T1027 Obfuscated Files or Information
Discovery T1016 System Network Configuration Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Collection T1114 Email Collection
Command and Control T1102 Web Service
Command and Control T1071 Application Layer Protocol
Command and Control T1573 Encrypted Channel
Command and Control T1105 Ingress Tool Transfer
Exfiltration T1041 Exfiltration Over C2 Channel
Impact T1565.002 Data Manipulation: Transmitted Data Manipulation

Latest Developments Observed

  • The threat actor is suspected of delivering the custom MODBEACON Trojan to selectively target organizations across the technology, education, and state-owned enterprise sectors in Asia through counterfeit software installers distributed via SEO poisoning campaigns. The campaign appears to be intelligence-driven, leveraging advanced modular malware, staged payload delivery, and persistent access mechanisms to facilitate long-term espionage and unauthorized information collection.

ETLM Insights
Silver Fox is assessed to be a financially motivated threat actor whose operations demonstrate an increasingly structured intrusion model focused on establishing long-term access to targeted environments while supporting information theft and broader intelligence-driven objectives. Recent activity indicates a shift toward more selective victim targeting and customized intrusion capabilities, reflecting a gradual evolution in the group’s operational maturity.
Operationally, the threat actor demonstrates a persistence-oriented intrusion methodology centered on trusted delivery channels, staged malware deployment, and resilient command-and-control communications to establish and maintain covert access within victim environments. Its tradecraft reflects an emphasis on operational persistence, adaptive payload delivery, and sustained post-compromise activity while minimizing detection opportunities.
The threat actor’s operations reflect a deliberate approach:

  • Selective Targeting: Prioritizing organizations that provide strategic or operational value.
  • Persistent Intrusion Activity: Establishing long-term access to support sustained post-compromise operations.
  • Adaptive Delivery
    Operations: Leveraging trusted distribution channels to improve intrusion success and operational flexibility.

Looking ahead, the threat actor is likely to continue strengthening its intrusion capabilities through increasingly customized malware delivery and resilient operational infrastructure. This evolving operational model positions Silver Fox as a persistent threat capable of sustaining long-term unauthorized access and information collection against high-value organizations.

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

YARA Rules
rule IOC_SilverFox_Win32_Campaign
{
meta:
description = “Detects Silver Fox campaign indicators based on observed domains, IP addresses, and Win32 executable artifact”
author = “CYFIRMA”
date = “2026-07-14”
version = “1.0”
reference = “Silver Fox IOC”

strings:
/* Domains */
$domain1 = “fzdoor.vip” ascii nocase
$domain2 = “amvcoins.vip” ascii nocase
$domain3 = “jinmai.vip” ascii nocase
$domain4 = “betooo.vip” ascii nocase

/* IP Addresses */
$ip1 = “43.128.54.184” ascii
$ip2 = “207.56.138.28” ascii
$ip3 = “108.187.42.63” ascii
$ip4 = “108.187.37.85” ascii
$ip5 = “154.82.81.205” ascii

/* File Indicator */
$file1 = “win32.exe” ascii nocase

condition:
any of ($domain*) or
any of ($ip*) or
$file1
}

Recommendations

Strategic Recommendations

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
    Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
    Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.

Management Recommendations

  • Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
  • Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical Recommendations

  • For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
  • Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
  • Add the YARA rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

3. Major Geopolitical Developments in Cybersecurity

Western intelligence warn against Russian critical infrastructure hacking

  • The Five Eyes intelligence alliance and eight European partners have issued a joint advisory warning that Russia’s Federal Security Service (FSB) is targeting vulnerable and misconfigured routers within critical infrastructure networks. To compromise these networks, hackers scan the internet for active Simple Network Management Protocol (SNMP) agents that use weak or default community strings for authentication. Once they find a vulnerable router, the attackers send SNMP Set-Requests to copy its configuration file and exfiltrate it to a leased virtual private server or a compromised FTP server under their control.

ETLM Assessment:

  • The agencies attribute this cyber campaign to the Russian intelligence FSB’s Center 16, a state-sponsored threat group widely tracked across the cybersecurity industry as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Unlike groups focused purely on stealing political secrets or intellectual property, Center 16 specializes in compromising critical utilities. They consistently target the energy grid, oil and gas pipelines, water distribution facilities, aviation networks, and the defense industrial base across the U.S., Europe, and allied nations. Western intelligence and judicial indictments reveal that Center 16’s ranks are composed of a mix of active-duty FSB military officers and civilian criminal hackers who are coerced or contracted into working for the state while moonlighting in the cybercrime underground.

    By quietly compromising routers at power plants, water facilities, and transit hubs, hackers are essentially planting digital landmines. They do not want to trigger an outage today; they want to ensure that if a direct military conflict ever breaks out between Russia and NATO, they already have access to the “off switches” of Western society. This also serves as a form of asymmetric deterrence. By demonstrating the ability to quietly infiltrate the power grid or aviation networks of a Western country, Moscow sends a silent but clear warning to foreign policymakers.
    France will summon Russia’s ambassador in the coming days regarding the campaign while authorities in Paris are preparing to sanction nine individuals and four entities responsible for taking part in the campaign.

Chinese APT targets US and Canadian universities

  • According to new researcher, a suspected Chinese advanced persistent threat (APT) group has targeted physics and engineering departments at U.S. and Canadian universities. The threat actor, tracked as “UNK_MassTraction,” focused on departments with national security ties or those specializing in astrophysics and particle physics. To execute the campaign, the actors exploited CVE-2024-4200 to steal credential information stored in user browsers, then weaponized a second flaw to deploy malware directly onto the university mail servers.

ETLM Assessment:

  • As previously noted by CYFIRMA, China is a global champion in using cyber-attacks as a tool of statecraft, and the hands-on role of the government in the economy only reinforces the drive to use cyber-attacks for IP theft, even in matters that are of no military or dual use. China has a bigger hacking program than that of every other major nation combined, and any large company in industries outlined in Chinese development plans will need to invest into external threat landscape management solutions to stay ahead of relentless and repeated assaults by Chinese hackers.

4. Rise in Malware/Ransomware and Phishing

Deadlock Ransomware Impacts a Manufacturing Company from Indonesia

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Indonesia
  • Ransomware: Deadlock Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Indonesia was compromised by Deadlock Ransomware. The Compromised company is an Indonesian manufacturer and distributor of plastic piping systems, serving residential, commercial, industrial, and infrastructure markets. Founded in 1979 and headquartered in Jakarta, Indonesia, the company is recognized as one of Indonesia’s major producers of piping solutions and related products. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 400 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Deadlock Ransomware is a financially motivated Ransomware-as-a-Service (RaaS) operation that operates a dedicated Data Leak Site (DLS) to extort victims by encrypting systems and threatening to publish stolen data unless a ransom is paid.
  • The Deadlock Ransomware group primarily targets countries such as Argentina, Sweden, Singapore, Spain, and France.
  • The Deadlock Ransomware group primarily targets industries, including Professional Goods & Services, Materials, Government & Civic, Real Estate & Construction, and Transportation & Logistics.
  • Based on the Deadlock Ransomware victims list from 1st Jan 2025 to 14th July 2026, the top 5 Target Countries are as follows:

  • The Top 10 Industries most affected by the Deadlock Ransomware group victims list from 1st Jan 2026 to 14th July 2026 are as follows:

ETLM Assessment:

  • According to CYFIRMA’s assessment, Deadlock is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in 2025 and has rapidly established itself as an active double-extortion threat. The group operates a dedicated Data Leak Site (DLS) and leverages an affiliate-driven model to compromise organizations, exfiltrate sensitive data, encrypt critical systems, and threaten public disclosure unless ransom demands are met. Deadlock primarily gains initial access through the exploitation of internet-facing vulnerabilities, compromised VPN/RDP credentials, phishing campaigns, and access purchased from Initial Access Brokers (IABs). Its use of credential theft, lateral movement, data exfiltration, and rapid encryption across enterprise environments underscores the importance of implementing strong identity and access management, continuous network monitoring, timely vulnerability remediation, network segmentation, immutable offline backups, and robust incident response capabilities to detect, contain, and mitigate ransomware attacks.

The Gentlemen Ransomware Impacts a FinTech company from Singapore

  • Attack Type: Ransomware
  • Target Industry: FinTech
  • Target Geography: Singapore
  • Ransomware: The Gentlemen Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:

CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Singapore was compromised by The Gentlemen Ransomware.  The compromised company is a is a Singapore-based fintech company specializing in collateral, compliance, and risk management software for structured commodity finance. Founded by seasoned banking professionals, the firm provides cutting-edge technology that helps global banks and direct lenders reliably track assets and mitigate risks. With a strong international presence across Europe and Australia, the company solutions empower financial institutions to navigate complex commodity markets efficiently. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. [MISSING IMAGE: ,  ]

Source: Dark Web

Relevancy & Insights:

  • The Gentlemen is a relatively highly sophisticated ransomware-as-a-service (RaaS) group that emerged in mid-2025.
  • The Gentlemen Ransomware group primarily targets countries such as the United States of America, Thailand, France, Germany, and Brazil.
  • The Gentlemen Ransomware group primarily targets industries, including Manufacturing, Professional Goods & Services, Consumer Goods & Services, Information Technology, and Healthcare.
  • Based on the Gentlemen Ransomware victims list from 1st Jan 2025 to 14th July 2026, the top 5 Target Countries are as follows:

  • The Top 10 Industries most affected by the Gentlemen Ransomware victims list from 1st Jan 2025 to 07th July 2026 are as follows:

ETLM Assessment:

  • According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.

5. Vulnerabilities and Exploit

Vulnerability in Dassault Systèmes DELMIA Apriso

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Manufacturing Operations Management (MOM) / Manufacturing Execution System (MES)
  • Vulnerability: CVE-2026-9695
  • CVSS Base Score: 9.8 Source
  • Vulnerability Type: Improper Authentication
  • Summary: The vulnerability allows a remote attacker to bypass authentication process.

Relevancy & Insights:

  • The vulnerability exists due to an error when processing authentication requests.

Impact:

  • A remote attacker can gain privileged access to the server.

Affected Products: https[:]//www[.]3ds[.]com/trust-center/security/security-advisories/cve-2026-9695

Recommendations:

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK

This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:

  • Vulnerability in Dassault Systèmes DELMIA Apriso introduces significant risks to organizations that rely on manufacturing operations management (MOM) and manufacturing execution systems (MES) to manage production processes, quality assurance, supply chain coordination, and factory operations. As DELMIA Apriso is widely deployed across manufacturing environments to streamline production workflows and manage operational data, exploitation of this vulnerability could allow attackers to bypass authentication controls and gain unauthorized access to critical manufacturing systems. A successful attack may expose sensitive production information, disrupt manufacturing operations, compromise business-critical processes, and facilitate further compromise across interconnected enterprise environments. Organizations leveraging Dassault Systèmes DELMIA Apriso should ensure timely application of security updates, continuously monitor authentication activities, and implement robust access control and security monitoring practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and availability of manufacturing operations and enterprise production environments.

6. Latest Cyber-Attacks, Incidents, and Breaches

Krybit Ransomware attacked and published the data of a Manufacturing company from Vietnam

  • Threat Actor: Krybit Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing
  • Target Geography: Vietnam
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:

  • Recently, we observed that Krybit Ransomware attacked and published the data of a manufacturing company from Vietnam on its dark web website. The compromised company is a Vietnamese leading manufacturer and exporter of frozen and processed tropical fruits and vegetables, headquartered in Bao Loc City, Lam Dong Province, Vietnam. The company was established witnessing the significant increase in agricultural raw materials from Lam Dong province and is committed to delivering the freshest and highest quality agricultural products from the rich lands of Vietnam to consumers worldwide. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

  • Krybit Ransomware is a financially motivated cybercriminal group that operates a dedicated data leak site (DLS) to extort victims by encrypting systems and threatening to publish stolen data unless a ransom is paid.
  • The Krybit Ransomware group primarily targets industries, including Professional Goods & Services, Manufacturing, Government & Civic, Consumer Goods & Services, and Information Technology.

ETLM Assessment:

  • According to CYFIRMA’s assessment, Krybit represents a persistent, financially motivated Ransomware-as-a-Service (RaaS) and data extortion threat that leverages an opportunistic affiliate-driven operational model to maximize pressure on victims. Although the group functions via external threat actors incentivized by lucrative profit-sharing structures, its targeted deployment of custom malware suits across corporate environments highlights the critical importance of robust identity security, continuous network monitoring, timely vulnerability remediation, and rigorous data loss prevention measures to detect, contain, and mitigate potential ransomware extortion attacks.

7.Data Leaks

Unauthorized Financial Services Customer Database Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Financial Services (Foreign Exchange & Cryptocurrency Trading)
  • Target Geography: Japan
  • Objective: Financial Gain
  • Business Impact: Exposure of Customer Personally Identifiable Information (PII), Financial Account Information, Increased Fraud Risk, Identity Theft, Regulatory Compliance Concerns, Financial Loss, Reputational Damage

Summary:

The CYFIRMA research team identified a post on a dark web forum advertising the sale of an alleged customer database associated with a Japan-based foreign exchange (FX) and cryptocurrency trading platform. According to the advertisement, the seller claims to possess a large volume of customer lead information and is offering the dataset in multiple record quantities at different price points.
The forum post indicates that the dataset is marketed as an exclusive collection of Japanese financial trading leads and includes sample records intended to demonstrate possession of the data. The advertisement also claims that additional datasets covering various countries and brands are available through the same marketplace.
Potentially Exposed Information
Based on the information shared in the forum advertisement, the allegedly compromised dataset may contain:

  • Customer account names
  • Telephone numbers
  • Email addresses
  • Account status information
  • Country information
  • Brand affiliation
  • Agent or account manager details
  • First-time deposit (FTD) status
  • Deposit amount information
  • Total deposited funds
  • Customer financial activity records
  • Trading lead information
  • Customer identifiers
  • Additional account-related metadata

The disclosure of customer contact information, account status, and financial activity data may further enable attackers to identify high-value victims for investment fraud, cryptocurrency scams, and other financially motivated cybercriminal operations.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the dark web forum advertisement and has not been independently confirmed.

Source: Underground Forums

Unauthorized Industrial Manufacturing Database Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Manufacturing
  • Target Geography: South Korea
  • Objective: Financial Gain
  • Business Impact: Exposure of Sensitive Corporate Data, Intellectual Property Risks, Operational Information Disclosure, Regulatory Compliance Concerns, Financial Loss, Reputational Damage.

Summary: The CYFIRMA research team identified a post on a dark web forum advertising the alleged sale of a database belonging to a South Korean industrial manufacturing organization specializing in heavy engineering and industrial equipment. The forum post claims that a complete organizational database has been compromised and is being offered for sale.
According to the advertisement, the leaked data allegedly originates from multiple internal business units across the organization. The post references several operational and administrative departments, including:

  • Technical Research Institute
  • Valve Engineering Team
  • Cryogenic Engineering Team
  • Innovation Team
  • Sales Department
  • Finance Department
  • Materials Team
  • Quality Assurance Team
  • General Affairs Department
  • Production Team

The advertisement further claims that screenshots have been published as proof of possession, while the complete dataset remains accessible only to authorized buyers through the cybercrime forum.
The disclosure of technical research, engineering documentation, production-related information, and employee records could further increase the organization’s exposure to operational disruption and competitive intelligence risks.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the dark web forum advertisement and has not been independently confirmed.

Source: Underground Forums

Relevancy & Insights:

  • Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:

  • The threat actor known is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.
  1. Other Observations

The CYFIRMA research team identified a post on a dark web forum advertising the sale of an alleged database and website source code belonging to a Japanese online property rental platform. According to the advertisement, the seller claims to possess the complete database associated with the platform, along with the source code of its primary website.
The forum post also includes what appears to be a partial directory structure of the web application as proof of possession, indicating that the compromised data may include application files, configuration files, development resources, and source code repositories. The complete dataset is advertised for sale through a cybercrime forum.
Potentially Exposed Information
Based on the information shared in the forum advertisement, the allegedly compromised data may include:

  • Customer database records
  • Website source code
  • Web application directory structure
  • Application configuration files
  • Software packages and dependencies
  • Development and deployment scripts
  • Public web assets
  • Website configuration files
  • Source code repositories
  • Internal application components
  • Database-related scripts
  • Backup and export files
  • Development environment information
  • Additional website infrastructure data

The disclosure of website source code and application architecture could enable attackers to identify security weaknesses, develop customized exploits, bypass security controls, and compromise additional corporate systems. Exposure of customer databases may further increase the risk of identity theft, fraud, and unauthorized access to user accounts.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the dark web forum advertisement and has not been independently confirmed.

Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

 MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

 TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.