
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Introduction:
CYFIRMA Research and Advisory Team has found the Friends Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Friends Ransomware
Friends is a ransomware strain that encrypts user data using strong cryptographic techniques and appends the .friends124 extension to every affected file, rendering them inaccessible without the corresponding decryption key. After completing encryption, it creates an HTML file named RANSOM_NOTE.html that serves as the primary communication channel with the victim. The malware is designed not only to disrupt data availability but also to pressure victims by claiming that sensitive information has been exfiltrated prior to encryption, indicating a double-extortion approach commonly used in modern ransomware campaigns.

Screenshot: File encrypted by the ransomware (Source: Surface Web)
The ransom note informs victims that their files have been encrypted and instructs them to establish contact through the attacker-provided communication channels to obtain payment instructions and the decryption utility. It claims that confidential and personal data has been copied to a remote server and threatens public disclosure or sale of the stolen information if the ransom demand is not met. To increase credibility, the operators offer to decrypt a small number of non-essential files at no cost as proof that file recovery is possible. The note also warns that the ransom amount will increase if communication is delayed beyond a specified time window, applying additional psychological pressure to accelerate payment.

Screenshot: The appearance of friend’s ransom note (Ransom_Note.html) (Source: Surface Web)
From a technical incident response perspective, removal of the ransomware only prevents further encryption activity and does not restore already encrypted files. Recovery typically depends on the availability of unaffected offline or isolated backups, as encrypted data generally cannot be decrypted without the corresponding private key unless a cryptographic flaw exists in the ransomware implementation. During remediation, responders should isolate the compromised system, preserve encrypted files and the ransom note for forensic analysis, identify and eliminate any persistence mechanisms or associated malicious components, investigate potential credential compromise and data exfiltration, and verify system integrity before restoring data to prevent reinfection.
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1053.002 | Scheduled Task/Job: At |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1569.002 | System Services: Service Execution |
| Persistence | T1053.002 | Scheduled Task/Job: At |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Persistence | T1112 | Modify Registry |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1546.001 | Event Triggered Execution: Change Default File Association |
| Persistence | T1546.012 | Event Triggered Execution: Image File Execution Options Injection |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
| Privilege Escalation | T1053.002 | Scheduled Task/Job: At |
| Privilege Escalation | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1546.001 | Event Triggered Execution: Change Default File Association |
| Privilege Escalation | T1546.012 | Event Triggered Execution: Image File Execution Options Injection |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Discovery | T1614 | System Location Discovery |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1113 | Screen Capture |
| Collection | T1213 | Data from Information Repositories |
| Command and Control | T1102 | Web Service |
| Impact | T1529 | System Shutdown/Reboot |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1070.006 | Indicator Removal: Timestomp |
| Stealth | T1134 | Access Token Manipulation |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1542.003 | Pre-OS Boot: Bootkit |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1620 | Reflective Code Loading |
| Defense Impairment | T1222 | File and Directory Permissions Modification |
| Defense Impairment | T1112 | Modify Registry |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA assesses that Friends ransomware is likely to evolve into a more advanced and adaptable threat, with future variants expanding beyond file encryption to incorporate enhanced double-extortion capabilities and more targeted attack methodologies. The operators may strengthen encryption implementations, improve defense evasion techniques, and introduce more resilient persistence mechanisms that enable the malware to survive reboots and security remediation efforts. As ransomware campaigns continue to prioritize enterprise networks, future versions may also be optimized to disrupt critical infrastructure and high-value business operations, increasing the overall impact of successful compromises.
Future iterations are expected to adopt a more modular architecture, allowing threat actors to integrate additional capabilities such as credential harvesting, privilege escalation, lateral movement, and reconnaissance within compromised environments. Such functionality would enable attackers to identify and encrypt the most valuable assets while simultaneously targeting network shares, virtualization platforms, backup repositories, and cloud-hosted resources. The inclusion of anti-analysis, anti-debugging, and anti-forensic features could further complicate malware detection, hinder incident response activities, and reduce opportunities for forensic reconstruction of the attack chain.
The broader ransomware landscape suggests that data exfiltration will remain a central component of future Friends ransomware campaigns, with encryption serving as only one stage of a larger extortion strategy. Beyond locking files, future variants may increasingly exploit stolen corporate and personal information through public leak sites, private resale, or repeated extortion attempts against affected organizations. This evolution would transform incidents into complex, multi-stage intrusions that require organizations to focus not only on backup and recovery but also on continuous monitoring, network segmentation, identity protection, data loss prevention, and comprehensive incident response planning to minimize operational and financial impact.
Sigma rules:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Information Stealer |Objectives: Credential Theft/ Data Exfiltration | Target Technology: Windows| Target Geography: Global
CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “LuvswagStealer” is in focus.
Overview of Operation LuvswagStealer Malware
LuvswagStealer is a Windows-based information-stealing malware designed to covertly collect sensitive information from compromised systems while employing multiple defense evasion and persistence mechanisms to maintain long-term access. The malware combines credential theft, system reconnaissance, user activity monitoring, and command-and-control (C2) communication within a single payload, enabling threat actors to harvest valuable information and facilitate subsequent stages of an intrusion. Its broad range of capabilities makes it a significant threat to both individual users and enterprise environments.
During execution, the malware performs extensive reconnaissance to profile the infected host by gathering system information, enumerating running processes, identifying installed software, querying registry settings, and collecting user-specific details. It also incorporates multiple anti-analysis techniques, including debugger detection, virtual machine identification, execution delay checks, code obfuscation, and software packing, evading automated analysis environments and hindering reverse engineering efforts. These mechanisms significantly improve their ability to remain concealed throughout the infection lifecycle.
To establish persistence and execute malicious operations discreetly, the malware modifies Windows Registry entries associated with startup execution and leverages process injection to execute malicious code within legitimate processes. Additionally, it employs registry manipulation, obfuscated code, and security control impairment techniques to reduce its visibility and complicate forensic investigations. These capabilities enable the malware to maintain persistent access while blending with legitimate system activity.
Once active, the malware communicates with remote command-and-control (C2) infrastructure using standard application-layer protocols to transmit stolen information and receive additional instructions. Its data collection capabilities include keystroke logging, clipboard monitoring, screenshot capture, audio recording, and the theft of locally stored data. The combination of comprehensive information theft, stealth techniques, persistence mechanisms, and resilient C2 communication demonstrates a mature and capable threat, reinforcing the need for layered security controls, continuous behavioral monitoring, and timely incident response to minimize organizational risk.
Attack Method
The infection begins when the malicious executable is launched on a Windows system, after which it initializes the required Windows libraries and validates the execution environment before activating its core functionality. The malware performs multiple anti-analysis checks, including debugger detection, virtual machine identification, and execution timing validation using functions such as GetTickCount. It also employs software packing, stack-string obfuscation, and encoded data to conceal its functionality, making static analysis and automated sandbox detection significantly more difficult.
After successful execution, the malware performs extensive host reconnaissance to build a profile of the compromised system. It enumerates running processes, installed software, registry keys, system configuration, network settings, user information, keyboard layout, and file system contents. Additional discovery routines identify analysis tools and virtualized environments while inspecting Portable Executable (PE) sections and memory permissions to determine whether the sample is executing within a monitored environment. This reconnaissance enables the malware to tailor its execution and avoid exposing its full capabilities when analysis is suspected.
To establish persistence and evade security mechanisms, the malware modifies Windows Registry entries associated with startup execution and Winlogon-related registry locations. It can inject code into legitimate processes, creating and managing threads, suspending or resuming execution, and terminating selected processes. The malware further manipulates registry values, performs self-deletion when required, and attempts to impair defensive controls. Runtime API resolution, COMSPEC environment variable usage, and extensive Windows API interactions reduce its static footprint while increasing execution flexibility across different Windows environments.
Following successful persistence, malware activates its information-stealing capabilities and establishes outbound communication with its command-and-control infrastructure over HTTP and TCP using the WinINet and Winsock APIs. It resolves remote domains, creates network requests, exchanges data with external servers, and supports bidirectional communication for tasking. Simultaneously, it captures keystrokes through application hooks and polling techniques, monitors clipboard contents, records screenshots and microphone audio, collects files and stored information, and encrypts or encodes harvested data using algorithms such as RC4, Base64, XOR, and DPAPI before transmitting the stolen information to remote operators. This combination of stealth, reconnaissance, persistence, credential harvesting, and encrypted data exfiltration enables the malware to operate effectively while minimizing the likelihood of detection.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| T1129 | Shared Modules | |
| Persistence | T1112 | Modify Registry |
| T1547 | Boot or Logon Autostart Execution | |
| Privilege Escalation | T1055 | Process Injection |
| Stealth | T1027 | Obfuscated Files or Information |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| T1070 | Indicator Removal | |
| T1140 | Deobfuscate/Decode Files or Information | |
| T1497 | Virtualization/Sandbox Evasion | |
| Credential Access | T1056 | Input Capture |
| Discovery | T1010 | Application Window Discovery |
| T1012 | Query Registry | |
| T1016 | System Network Configuration Discovery | |
| T1033 | System Owner/User Discovery | |
| T1057 | Process Discovery | |
| T1518.001 | Software Discovery: Security Software Discovery | |
| T1082 | System Information Discovery | |
| T1083 | File and Directory Discovery | |
| T1087 | Account Discovery | |
| T1518 | Software Discovery | |
| T1614 | System Location Discovery | |
| Collection | T1005 | Data from Local System |
| T1213 | Data from Information Repositories | |
| Command and control | T1071 | Application Layer Protocol |
INSIGHTS
ETLM ASSESSMENT
ETLM prospects indicate that information-stealing malware is likely to remain a persistent threat as organizations continue expanding their digital ecosystems and employees increasingly rely on cloud services, remote connectivity, and interconnected business applications. Future campaigns are expected to place greater emphasis on harvesting identities and organizational information that can be leveraged for financial fraud, unauthorized access, and follow-on cyber intrusions. As a result, enterprises may face heightened risks of data exposure, operational disruption, and reputational damage, while employees could become more frequent targets of identity theft, account compromise, and highly personalized social engineering attacks driven by previously stolen information.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule LuvswagStealer_Detection
{
meta:
description = “Detects LuvswagStealer based on unique strings and known SHA-256 hash”
author = “CYFIRMA” date = “2026-06-30”
malware_family = “LuvswagStealer”
strings:
/* Known SHA-256 */
$hash = “b45bbb0582aa658722616257d7cde23eb98430a2f31dbac3de596365122a642f”
/* Network Indicators */
$s1 = “discord.com”
$s2 = “https://discord.com/api/v10/users/”
$s3 = “ip-api.com”
$s4 = “http://ip-api.com/line/?fields=country”
/* Anti-analysis */
$s5 = “CheckRemoteDebuggerPresent”
$s6 = “WudfIsAnyDebuggerPresent”
$s7 = “GetTickCount”
$s8 = “VMware”
$s9 = “VirtualBox”
/* Persistence */
$s10 = “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders”
$s11 = “Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags”
/* Crypto / Encoding */
$s12 = “RC4”
$s13 = “Base64”
condition:
uint16(0) == 0x5A4D and (
$hash or 6 of ($s*)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
Turla: Evolving State-Aligned Cyber-Espionage Operations
About the Threat Actor
Turla is a Russia-linked advanced persistent threat (APT) group that has been active since at least 2008 and is widely assessed to conduct long-term cyber espionage operations in support of Russian strategic intelligence objectives. The threat actor is known for targeting government institutions, diplomatic entities, military organizations, and other high-value networks to obtain sensitive political, military, and strategic intelligence. The threat actor employs sophisticated malware, covert persistence mechanisms, and encrypted command-and-control (C2) infrastructure to maintain long-term access while minimizing detection. The group has demonstrated advanced operational security practices, including the use of custom toolsets, stealthy surveillance techniques, and encrypted communications, making attribution and analysis particularly challenging. The threat actor continues to refine its tradecraft and remains one of the most capable and persistent state-sponsored cyber espionage groups.
Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services |
| Resource Development | T1584.003 | Compromise Infrastructure: Virtual Private Server |
| Resource Development | T1584.004 | Compromise Infrastructure: Server |
| Resource Development | T1584.006 | Compromise Infrastructure: Web Services |
| Resource Development | T1588.002 | Obtain Capabilities: Tool |
| Resource Development | T1588.001 | Obtain Capabilities: Malware |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1078.003 | Valid Accounts: Local Accounts |
| Initial Access | T1566.002 | Phishing: Spear-phishing Link |
| Execution | T1106 | Native API |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| Execution | T1059.007 | Command and Scripting Interpreter: JavaScript |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Persistence | T1078.003 | Valid Accounts: Local Accounts |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
| Persistence | T1112 | Modify Registry |
| Persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Persistence | T1546.013 | Event Triggered Execution: PowerShell Profile |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
| Privilege Escalation | T1078.003 | Valid Accounts: Local Accounts |
| Privilege Escalation | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| Privilege Escalation | T1546.013 | Event Triggered Execution: PowerShell Profile |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1055.001 | Process Injection: Dynamic-link Library Injection |
| Privilege Escalation | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1078.003 | Valid Accounts: Local Accounts |
| Stealth | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Stealth | T1564.012 | Hide Artifacts: File/Path Exclusions |
| Stealth | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Stealth | T1055.001 | Process Injection: Dynamic-link Library Injection |
| Stealth | T1055 | Process Injection |
| Stealth | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools |
| Stealth | T1027.010 | Obfuscated Files or Information: Command Obfuscation |
| Stealth | T1027.011 | Obfuscated Files or Information: Fileless Storage |
| Defense Impairment | T1112 | Modify Registry |
| Defense Impairment | T1685 | Disable or Modify Tools |
| Defense Impairment | T1553.006 | Subvert Trust Controls: Code Signing Policy Modification |
| Credential Access | T1110 | Brute Force |
| Credential Access | T1555.004 | Credentials from Password Stores: Windows Credential Manager |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1615 | Group Policy Discovery |
| Discovery | T1201 | Password Policy Discovery |
| Discovery | T1120 | Peripheral Device Discovery |
| Discovery | T1069.001 | Permission Groups Discovery: Local Groups |
| Discovery | T1069.002 | Permission Groups Discovery: Domain Groups |
| Discovery | T1057 | Process Discovery |
| Discovery | T1018 | Remote System Discovery |
| Discovery | T1087.001 | Account Discovery: Local Account |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Discovery | T1007 | System Service Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1124 | System Time Discovery |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Collection | T1213.006 | Data from Information Repositories: Databases |
| Collection | T1025 | Data from Removable Media |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1071.003 | Application Layer Protocol: Mail Protocols |
| Command and Control | T1090 | Proxy |
| Command and Control | T1090.001 | Proxy: Internal Proxy |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1102 | Web Service |
| Command and Control | T1102.002 | Web Service: Bidirectional Communication |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Latest Developments Observed
The threat actor is suspected of leveraging the STOCKSTAY backdoor to target government entities, Western Ministries of Foreign Affairs, and defense organizations in Ukraine and Italy amid heightened geopolitical tensions. The activity is assessed to be primarily intelligence-driven, with objectives centered on strategic espionage, information collection, and long-term access to sensitive government and defense networks.
ETLM Insights
Turla is assessed as a Russia-linked state-sponsored advanced persistent threat (APT) group primarily engaged in cyber espionage activities supporting strategic intelligence collection objectives. The threat actor demonstrates a mature and highly disciplined operational tradecraft that emphasizes stealth, long-term persistence, and covert intelligence gathering, enabling sustained access to strategically significant environments while minimizing operational visibility.
Operationally, the threat actor employs sophisticated intrusion methodologies centered on custom malware, trusted system components, encrypted command-and-control infrastructure, and covert persistence mechanisms to establish and maintain long-term access. Its tradecraft reflects a strong focus on operational security, adaptive intrusion techniques, and intelligence-driven operations designed to support prolonged information collection while limiting detection opportunities.
Looking ahead, the threat actor is expected to continue refining its espionage capabilities by advancing stealth-oriented intrusion techniques, enhancing operational resilience, and evolving its custom toolsets to adapt to modern defensive controls. This evolving operational model positions the group as a persistent strategic cyber espionage threat, creating sustained exposure for organizations responsible for sensitive government, diplomatic, defense, and national security information.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems (Surface-web).
YARA Rules
rule IOC_Threat_Hunting_Generic
{
meta:
author = “CYFIRMA”
description = “Detects samples containing observed IOC strings” date = “2026-06-30”
version = “1.0” tlp = “TLP:CLEAR”
strings:
/* Filenames */
$f1 = “spoolsvs.exe” ascii nocase
$f2 = “mtathreadattribute.exe” ascii nocase
$f3 = “rastlsc.exe” ascii nocase
$f4 = “elf” ascii
/* SHA256 */
$sha1 = “d21908dc0c08da389aa9e4829aa934ab7f250fece1430ed5a644e0590d8876f7” ascii nocase
/* Domains */
$d1 = “event.target” ascii nocase
$d2 = “securityonline.info” ascii nocase
$d3 = “networklookout.com” ascii nocase
$d4 = “lab52.io” ascii nocase
$d5 = “kav-certificates.info” ascii nocase
/* IP Addresses */
$ip1 = “209.97.171.8” ascii
$ip2 = “209.126.11.251” ascii
$ip3 = “176.57.184.97” ascii
$ip4 = “173.212.252.2” ascii
$ip5 = “167.86.118.69” ascii
/* CVE References */
$cve1 = “CVE-2020-5902” ascii
$cve2 = “CVE-2018-15982” ascii
$cve3 = “CVE-2018-20250” ascii
$cve4 = “CVE-2023-34362” ascii
$cve5 = “CVE-2015-3113” ascii
condition:
uint16(0) == 0x5A4D and 3 of ($f*) and
2 of ($d*,$ip*)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Chinese hackers target critical infrastructure across Southeast Asia
Researchers are tracking a cluster of threat activity carried out by Chinese-speaking actors targeting critical infrastructure across Southeast Asia. Researchers have linked the group to previous attacks on web hosting infrastructure in Taiwan. According to one of the research groups, their latest campaign demonstrates a sustained, long-term focus on the Asia-Pacific region. In the most recent wave of attacks, the group shifted focus to the energy sector and government organizations. They deployed a newly identified Trojan called TinyRCT – a lightweight, custom backdoor written in C#.
ETLM Assessment:
As previously noted in CYFIRMA reports like this one, China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical infrastructure and global security. The Salt Typhoon and Volt Typhoon campaigns highlight this transformation; the former penetrated telecommunications networks in over 80 countries, accessing vast communications and geolocation data, and the latter embedded malware in U.S. critical infrastructure sectors like energy, transportation, and water systems. As China’s cyber capabilities grow more sophisticated and disruptive, rival nations must confront the reality of a new threat landscape, where digital vulnerabilities could reshape geopolitical outcomes and challenge the resilience of open societies.
FBI warns on Russian phishing attacks targeting messaging apps
The US FBI and CISA have updated their previous public service announcement, warning that Russian intelligence services are targeting Signal and other commercial messaging apps. The threat actors are now specifically going after Backup Recovery Keys through phishing attacks. These operations do not exploit any vulnerabilities in the messaging apps themselves. The campaign has primarily targeted current and former
U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. According to the advisory, if a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they later create a new account using the same phone number. This means the actor could potentially use the compromised key to take over the new account in the future.
ETLM Assessment:
As previously noted by CYFIRMA the goal of the Russian state-backed hackers in this large-scale global cyber campaign is to gain unauthorized access to Signal and WhatsApp accounts belonging to high-value targets such as dignitaries, government officials, civil servants, military personnel, and potentially journalists or others of interest to the Russian government – including confirmed victims among Dutch and USA government employees – in order to conduct espionage by secretly reading private messages, monitoring communications, and eavesdropping on group chats without needing to break the apps’ end-to-end encryption. Thus, enabling surveillance of sensitive discussions related to national security, policy, or other strategic information valuable to Russian state interests.
Stormous Ransomware Impacts a Chemical & Pharmaceutical Distribution Company from Japan
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Japan was compromised by Stormous Ransomware. The compromised company is a long-established Japanese trading company specialising in the distribution of specialty chemicals, pharmaceutical ingredients, industrial materials, food ingredients, and analytical equipment. Based on the information shown in the image, the ransomware operators claim to have compromised a broad range of financial and corporate business data belonging to the organization. The allegedly stolen data includes comprehensive financial statements, such as balance sheets, asset records, liabilities, capital information, accounts receivable (A/R), and accounts payable (A/P). At the time of the posting, the leak was marked as “Pending,” indicating that the attackers were claiming possession of the data and had not yet publicly released it.

Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Stormous represents a persistent financially motivated ransomware and data extortion threat that combines data theft with public leak-site extortion to maximize pressure on victims. Although the group has made numerous high-profile claims, its continued targeting of organizations across critical sectors highlights the importance of robust identity security, continuous network monitoring, timely vulnerability remediation, and effective data loss prevention measures to detect, contain, and mitigate potential ransomware and extortion attacks.
The Gentlemen Ransomware Impacts a Diversified Conglomerate Company from Kuwait
Summary: CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Kuwait was compromised by The Gentlemen Ransomware. The compromised company is a diversified group of companies with a portfolio spanning high-growth and high-impact industries across the GCC region. Their extensive operations encompass a wide range of sectors, including engineering, architectural solutions, hospitality, food & beverage, logistics, healthcare, and venture capital. The group is committed to delivering integrated, end-to-end services while fostering long-term sustainable growth across all its businesses. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Autodesk Fusion 360
Relevancy & Insights:
The vulnerability exists due to improper access control in the MCP extension when processing a maliciously crafted webpage visited by a user while Autodesk Fusion Desktop is running.
Impact:
A remote attacker can cause the user to visit a maliciously crafted webpage to execute arbitrary code.
Exploitation requires the MCP extension to be enabled, and user interaction is required.
Affected Products:
https[:]//www[.]Autodesk[.]com/trust/security-advisories/adsk-sa-2026-0008
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Autodesk Fusion 360 introduces significant risks to organizations that rely on computer-aided design (CAD), engineering, and manufacturing software for product development and collaborative design workflows. As Autodesk Fusion 360 is widely used by engineers, designers, and manufacturing teams to design, simulate, manufacture, and manage product lifecycles, exploitation of this vulnerability could allow attackers to execute arbitrary code and compromise engineering workstations or sensitive design environments. A successful attack against affected systems may result in unauthorized access to valuable intellectual property, disruption of engineering operations, compromise of product design workflows, and increased risk of lateral movement across enterprise networks. Organizations leveraging Autodesk Fusion 360 must ensure timely patching, continuously monitor engineering endpoints, and implement secure configuration practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and availability of engineering assets, product design data, and enterprise manufacturing environments.
DragonForce Ransomware attacked and published the data of a Manufacturing company from Japan
Summary:
Recently, we observed that DragonForce Ransomware attacked and published the data of a Manufacturing company from Japan on its dark web website. The Compromised company is a Japanese manufacturer specializing in the design and production of safety valves, relief valves, and pressure control equipment for industrial applications. Established in 1952, the company has decades of experience developing high-performance valve technologies for critical pressure systems across various industries. Based on the information shown in the image, the ransomware operators claim to have exfiltrated approximately 28.11 GB of corporate data. The compromised information reportedly includes a comprehensive corporate overview, encompassing official company profiles, technical catalogs, industrial registration documents, and other business-related records. The leak notice also indicates that published files are available, suggesting that the stolen dataset may contain additional internal documentation, operational records, technical materials, and proprietary business information.

Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, DragonForce represents a significant threat in the ransomware landscape due to its advanced operational methods and extensive use of modified ransomware tools. As it continues to target high-profile organizations globally, ongoing vigilance and proactive cybersecurity strategies will be essential for mitigating risks associated with this formidable threat actor. Organizations should remain alert to the evolving tactics employed by groups like DragonForce to protect their sensitive data and maintain operational integrity.
Unauthorised Firewall Access Advertised on a Leak Site
Summary:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of alleged privileged access to an organization’s firewall infrastructure operating within the financial technology sector in the United Arab Emirates. According to the advertisement, the offered access includes a Linux-based firewall with root-level remote code execution (RCE) and shell access, enabling a buyer to obtain administrative control over the exposed system. The seller claims the access is available for a fixed price 400$ and is intended exclusively for serious buyers, with further communication facilitated through an encrypted messaging platform. No additional information regarding the organization’s size, revenue, or internal environment is disclosed in the advertisement.
Based on the information presented in the forum post, the advertised access may provide the following capabilities:
If the advertised access is genuine, attackers could leverage the compromised firewall as an entry point to gain broader access to the organization’s internal environment. Such access may enable credential theft, unauthorized data exfiltration, deployment of ransomware, disruption of business operations, manipulation of network security policies, and compromise of sensitive financial systems. Because firewalls typically serve as critical perimeter security devices, their compromise can significantly weaken an organization’s overall security posture and increase the likelihood of further attacks across connected infrastructure.
The authenticity of the advertised access remains unverified at the time of reporting. The assessment is based solely on information published in a dark web forum advertisement, and no independent verification has confirmed that the claimed access is legitimate or currently active.

Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor known is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising the alleged sale of a customer database belonging to a digital veterinary care platform operating in Singapore. According to the forum advertisement, the seller claims the dataset contains information relating to approximately 28,641 users. The post states that the data originates from the platform’s internal systems and is accompanied by sample data as proof of possession. The seller further indicates that the dataset is available for purchase and also threatens to sell the information publicly if a ransom demand is not met before the specified deadline.
Based on the information presented in the forum advertisement, the allegedly compromised dataset may include:
According to the advertisement, the seller claims to possess approximately 28,641 user records and has provided sample data to demonstrate possession of the alleged dataset. The post further states that the information will remain available for purchase until the specified deadline, after which it may be released or sold to third parties if no agreement is reached.
If verified, the exposure of this information could present significant risks to affected individuals and the organization. Threat actors could exploit the disclosed data to conduct phishing campaigns, identity theft, account takeover attempts, credential stuffing attacks, social engineering, business email compromise (BEC), and fraud. The compromise of veterinary consultation records and customer information may also expose sensitive personal data, increasing privacy concerns and potentially resulting in regulatory scrutiny, legal liabilities, financial losses, and reputational damage.
The authenticity of the advertised dataset remains unverified at the time of reporting. The assessment is based solely on information published in a dark web forum advertisement and has not been independently confirmed.

Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.





For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.