Self Assessment

Weekly Intelligence Report – 05 September 2025

Published On : 2025-09-04
Share :
Weekly Intelligence Report – 05 September 2025

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows

Introduction:
CYFIRMA Research and Advisory Team has found NEZHA Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

NEZHA Ransomware:
Researchers have discovered a new ransomware strain called NEZHA. This ransomware Encrypts victims’ files, renaming them with the .NEZHA extension. Infected systems are left with a ransom note titled README.TXT.

Screenshot of files encrypted by ransomware (Source: Surface Web)

The ransom note states that all files have been encrypted and can only be restored with the attackers’ private key, obtainable by contacting them via the provided emails. Victims are offered free decryption of one non-valuable file as proof. The note warns against using third-party tools or renaming files, claiming this could cause permanent loss. Attackers assert they have had long-term access to the victim’s network, exfiltrated sensitive data, and threaten to leak or sell it if no contact is made within 24 hours.

The appearance of NEZHA ‘s ransom note (“README.TXT “) (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic Technique ID Technique Name
Execution T1047 Windows Management Instrumentation
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Privilege Escalation T1134 Access Token Manipulation
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1036 Masquerading
Defense Evasion T1134 Access Token Manipulation
Defense Evasion T1222 File and Directory Permissions Modification
Credential Access T1056 Input Capture
Credential Access T1056.001 Input Capture: Keylogging
Discovery T1007 System Service Discovery
Discovery T1016 System Network Configuration Discovery
Discovery T1033 System Owner/User Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1087 Account Discovery
Discovery T1518 Software Discovery
Discovery T1614 System Location Discovery
Discovery T1614.001 System Location Discovery: System Language Discovery
Lateral Movement T1080 Taint Shared Content
Collection T1056 Input Capture
Collection T1056.001 Input Capture: Keylogging
Collection T1074 Data Staged
Command and Control T1071 Application Layer Protocol
Command and Control T1095 Non-Application Layer Protocol
Command and Control T1105 Ingress Tool Transfer
Command and Control T1573 Encrypted Channel
Impact T1486 Data Encrypted for Impact

Relevancy and Insights:

  • The ransomware primarily targets Windows OS, which is utilised by enterprise in a variety of industries.
  • This ransomware accessing the Windows Credential Manager to extract stored credentials, including usernames and passwords saved by the user or system. Suspicious access to the credentials history is a technique often used during the credential access phase, where the ransomware attempts to gather authentication data to escalate privileges, disable security tools, or facilitate lateral movement within the network.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:
CYFIRMA’s assessment indicates that the NEZHA ransomware group is in its early phase but demonstrates clear indicators of rapid evolution. Evidence from observed artifacts (.NEZHA extension, README.TXT ransom note), confirmed IOCs, and TTPs such as WMI execution, credential theft, and extensive system discovery strongly support this trajectory. With these capabilities already in play, it is highly likely that NEZHA will expand into double or triple extortion, adopt dedicated leak sites, and transition toward a Ransomware-as-a-Service model, positioning it as a scalable and persistent global threat.

Sigma rule:
title: Suspicious desktop.ini Action tags:
– attack.persistence
– attack.t1547.009 logsource:
product: windows category: file_event
detection: selection:
TargetFilename|endswith: ‘\desktop.ini’ filter_generic:
Image|startswith:
– ‘C:\Windows\’
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’ filter_jetbrains:
Image|endswith: ‘\AppData\Local\JetBrains\Toolbox\bin\7z.exe’ TargetFilename|contains: ‘\JetBrains\apps\’
filter_upgrade:
TargetFilename|startswith: ‘C:\$WINDOWS.~BT\NewOS\’ condition: selection and not 1 of filter_*
falsepositives:
– Operations performed through Windows SCCM or equivalent
– Read only access list authority level: medium
Source: Surface Web

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Trojan | Objectives: Credential Theft, Cryptocurrency Theft, Device Control, Data Exfiltration |Target Technology: Android OS | Target Industry: Financial Services, Cryptocurrency Platforms | Target Geography: Global

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “Brokewell” is trending.

Overview of Brokewell Malware
Researchers identified a new wave of malicious activity within Meta’s advertising system, where cybercriminals are adapting their tactics to reach a wider pool of victims. After months of targeting Windows desktop users with fake ads for counterfeit trading and cryptocurrency platforms, the focus has now shifted to Android users worldwide. The latest campaign involves deceptive Facebook ads offering a free premium version of the TradingView app, which in reality delivers an upgraded variant of the Brokewell malware designed to steal cryptocurrency. This discovery highlights how attackers are refining their strategies, hiding behind trusted financial tools, and leveraging the growing popularity of mobile trading apps to maximize their gains.

Attack Method

The attack began with deceptive Facebook ads carrying TradingView’s branding, sometimes paired with unusual visuals such as a Labubu character, to capture attention. While desktop users clicking these ads were shown harmless content, Android users were redirected to a fraudulent website mimicking TradingView’s official page. From there, victims were tricked into downloading an initial malicious app, known as a dropper, disguised as a free premium app. The dropper decrypted and installed the actual malicious payload — an evolved form of the Brokewell malware.

Upon the successful installation of the actual malware, to avoid being detected, the dropper gets itself uninstalled. The fake app had already requested powerful permissions, including accessibility access, and attempted to obtain the user’s lock screen PIN, granting attackers further control and unauthorized access. To maximize its reach, the malware also requested permissions in multiple languages — including English, Spanish, Portuguese, German, French, Italian, Turkish, and Finnish — reflecting its design for global campaigns. The malware was designed to conceal its activities, target cryptocurrency wallets, and communicate securely with attackers over TOR, giving them full control over infected devices and access to sensitive information. Once granted the necessary permissions, Brokewell is capable of the following actions:

  • Stealing cryptocurrencies like BTC, ETH, USDT, as well as banking details and wallet information
  • Capturing authentication codes from apps like Google Authenticator to bypass 2FA
  • Taking over accounts by presenting fake login screens to trick users into revealing credentials
  • Recording screens, logging keystrokes, stealing cookies, and tracking location
  • Intercepting SMS messages, including banking alerts and 2FA codes
  • Remotely controlling the device, including sending messages, placing calls, uninstalling apps, or even wiping itself
  • Activating the camera and microphone to record audio and video secretly

Following are the TTPs based on the MITRE Attack Framework for Mobile

Tactic Technique ID Technique Name
Initial Access T1456 Drive-By Compromise
Persistence T1624.001 Event Triggered Execution: Broadcast Receivers
Persistence T1541 Foreground Persistence
Privilege Escalation T1626 Abuse Elevation Control Mechanism
Defense Evasion T1628 Hide Artifacts
Defense Evasion T1628.001 Hide Artifacts: Suppress Application Icon
Defense Evasion T1655 Masquerading
Defense Evasion T1516 Input Injection
Defense Evasion T1406 Obfuscated Files or Information
Defense Evasion T1406.002 Obfuscated Files or Information: Software Packing
Credential Access T1517 Access Notifications
Credential Access T1414 Clipboard Data
Credential Access T1417 Input Capture
Credential Access T1417.001 Input Capture: Keylogging
Credential Access T1417.002 Input Capture: GUI Input Capture
Credential Access T1634 Credentials from Password Store
Discovery T1420 File and Directory Discovery
Discovery T1430 Location Tracking
Discovery T1418 Software Discovery
Discovery T1426 System Information Discovery
Collection T1517 Access Notifications
Collection T1513 Screen Capture
Collection T1429 Audio Capture
Collection T1616 Call Control
Collection T1414 Clipboard Data
Collection T1417 Input Capture
Collection T1417.001 Input Capture: Keylogging
Collection T1417.002 Input Capture: GUI Input Capture
Collection T1430 Location Tracking
Collection T1636.002 Protected User Data: Call Log
Collection T1409 Stored Application Data
Command & Control T1437 Application Layer Protocol
Exfiltration T1646 Exfiltration Over C2 Channel
Impact T1616 Call Control
Impact T1582 SMS Control
Impact T1516 Input Injection

INSIGHTS

  • Researchers revealed that Brokewell has evolved into more than just a typical financial Trojan — it reflects a broader trend where cybercriminals exploit trusted platforms to lure victims. By using Facebook’s advertising system and piggybacking on the popularity of legitimate trading tools like TradingView, attackers managed to reach audiences who might not typically download suspicious apps. This approach highlights how threat actors are shifting from shady underground forums to mainstream spaces, blending in with legitimate marketing tactics to make their campaigns appear authentic.
  • Another noteworthy aspect is how the operators of Brokewell have taken deliberate steps to make the malware accessible to a global audience. The use of multiple languages when requesting permissions suggests the campaign was designed with international reach in mind, rather than targeting a single region. This multilingual strategy indicates a professional level of planning and an understanding that victims from different parts of the world could be equally susceptible, especially as trading apps and cryptocurrency platforms have become universal entry points for both experienced and new investors.
  • Finally, the integration of tools like TOR for communication shows the attackers’ focus on staying hidden and maintaining control over infected devices without leaving obvious traces. This emphasis on anonymity and concealment makes Brokewell not just a financial threat, but also a tool that grants attackers extended control over personal devices. By combining social engineering with stealthy infrastructure, Brokewell demonstrates how modern malware is no longer just about stealing money quickly but about embedding itself deeply into the victim’s digital life, making detection and recovery more complex.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that in the future, Brokewell-style campaigns will blur the line between personal and professional risks, as attackers disguise malware behind trusted brands and lure employees through seemingly legitimate tools. Infections on devices could quietly serve as gateways into corporate environments, expanding the threat surface for organizations worldwide. Employees may find it increasingly difficult to distinguish authentic apps and ads from malicious ones, leading to growing distrust in digital platforms and disruptions to workplace efficiency. With its globally adaptable design, such malware could enable simultaneous large-scale campaigns across regions, where even a single compromised employee device may trigger systemic risks affecting entire organizational ecosystems.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rule
rule Brokewell_Indicators
{
meta:
description = “Detects Brokewell malware indicators” author = “CYFIRMA”
malware_family = “Brokewell” strings:
// MD5 File Hashes
$md5_1 = “788cb1965585f5d7b11a0ca35d3346cc”
$md5_2 = “58d6ff96c4ca734cd7dfacc235e105bd”
// SHA256 File Hashes
$sha256_1 = “39669a3663829b380c7a776857021ac8a325cf6c0f709dd502f5f0a0945da953”
$sha256_2 = “6dd93a18b00db0f16042cd95ed45227aca0f850844e1cb9923e83df405757660”
$sha256_3 = “78b3db9b68a4b62c6c4fffdcf0d0125aca464dbb4a6ef3526ac7c7ea1cfe88e4”
$sha256_4 = “66b5cf0fe3eb2506ce38701acabc242323e1cdbdb2b0a96909936477e03e0cf3”
// Domains
$domain_1 = “new-tw-view.online”
$domain_2 = “tradiwiw.online” condition:
any of ($domain*) or any of ($md5*) or any of ($sha256*)
}

Recommendations:

STRATEGIC:

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.
  • Add the Yara rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Malware implant, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Qilin Ransomware, Lynx Ransomware | Malware – Brokewell
  • Qilin Ransomware– One of the ransomware groups.
  • Lynx Ransomware – One of the ransomware groups.
    Please refer to the trending malware advisory for details on the following:
  • Malware – Brokewell
    Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

APT37: An Evolving Cyber Threat from North Korea

  • Threat Actor: APT37 aka Reaper, Group123
  • Attack Type: Connection Proxy, Credential Dumping, Exploitation of Vulnerabilities, Spear-Phishing, Code Obfuscation, Malware Implant.
  • Objective: Information theft, Espionage
  • Suspected Target Technology: Office Suites Software, Operating System, Web Application, Android.
  • Suspected Target Geography: China, Hong Kong, India, Japan, Kuwait, Middle East, Nepal, Romania, Russia, South Korea, UK, USA, Vietnam.
  • Suspected Target Industries: Automotive, Chemical, Education, Financial, Government, Healthcare, High-Tech, Manufacturing, Media, Research, Technology, Transportation, Aerospace.
  • Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage.

About the Threat Actor
Reaper (APT37) is a suspected North Korean cyber espionage group active since 2012, known for its advanced malware development and sophisticated tactics, techniques, and procedures (TTPs). Initially targeting South Korea, the threat group has expanded its attack surface footprints to other geographies. Notable campaigns include Operation Daybreak, Erebus, Golden Time, FreeMilk, Are You Happy•, and Evil New Year.

Additionally, malware families and tools, such as Konni, Nokki, DogCall, and CarrotBat, have been associated with the group’s operations, further demonstrating its technical capability and adaptability. The group has been linked to attacks on academic and strategic institutions, including a Japanese entity associated with a UN human rights project. Reaper’s activities align closely with North Korean state objectives, making it a persistent and evolving threat.

Details on Exploited Vulnerabilities

CVE ID Affected Products CVSS Score Exploit Links
CVE-2018-4878 Adobe Flash Player 9.8 Link
CVE-2022-41128 Windows Scripting Languages 8.8
CVE-2024-38178 Scripting Engine Memory 7.5
CVE-2020-1380 Internet Explorer 8.8 Link

TTPs based on MITRE ATT&CK Framework

Tactic ID Technique
Initial Access T1189 Drive-by Compromise
Initial Access T1566.001 Phishing: Spear phishing Attachment
Execution T1059 Command and Scripting Interpreter
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1059.005 Command and Scripting Interpreter: Visual Basic
Execution T1059.006 Command and Scripting Interpreter: Python
Execution T1203 Exploitation for Client Execution
Execution T1559.002 Inter-Process Communication: Dynamic Data Exchange
Execution T1106 Native API
Execution T1053.005 Scheduled Task/Job: Scheduled Task
Execution T1204.002 User Execution: Malicious File
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1053.005 Scheduled Task/Job: Scheduled Task
Privilege Escalation T1053.005 Scheduled Task/Job: Scheduled Task
Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Privilege Escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation T1055 Process Injection
Defense Evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense Evasion T1036.001 Masquerading: Invalid Code Signature
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1027.003 Obfuscated Files or Information: Steganography
Defense Evasion T1055 Process Injection
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Discovery T1120 Peripheral Device Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1033 System Owner/User Discovery
Collection T1123 Audio Capture
Collection T1005 Data from Local System
Command and Control T1105 Ingress Tool Transfer
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1102.002 Web Service: Bidirectional Communication
Impact T1561.002 Disk Wipe: Disk Structure Wipe
Impact T1529 System Shutdown/Reboot

Latest Developments Observed
The threat actor is suspected of conducting a campaign, Operation HanKook Phantom, characterized by highly tailored spear-phishing attacks utilizing malicious LNK loaders, fileless PowerShell execution, and covert data exfiltration techniques. The campaign appears to primarily target government entities, research institutions, and academic organizations in South Korea, with the likely objective of intelligence collection and long-term espionage.

ETLM Insights
APT37 demonstrates increasingly sophisticated and evolving tactics, techniques, and procedures (TTPs), including spear-phishing campaigns, exploitation of software vulnerabilities, and advanced malware development capabilities. The group has expanded its digital footprint beyond its traditional regions of operation, aligning its activities with state objectives and supporting government priorities. Its targeting scope extends across a broader technology stack, spanning Windows, Android, web browsers, and cloud infrastructure, underscoring its focus on intelligence collection and long-term espionage. It is anticipated that future campaigns by the threat group are likely to employ cross-platform malware, AI-driven spear-phishing, and large-scale strategic web compromises.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rules
rule APT37_Indicators
{
meta:
description = “Detects indicators related to APT37 (ScarCruft) including CVEs, IPs, and domains”
author = “CYFIRMA” date = “2025-09-02”
threat_actor = “APT37 / ScarCruft / TA-RedAnt” strings:
// Known CVE strings often referenced in attack artifacts or logs
$cve1 = “CVE-2018-4878”
$cve2 = “CVE-2022-41128”
$cve3 = “CVE-2024-38178”
$cve4 = “CVE-2020-1380”
// Domains linked to APT37 infrastructure
$domain1 = “st0746.net”
$domain2 = “crowdon.info”
$domain3 = “joinupvts.org”
$domain4 = “seoulhobi.biz”
// IP addresses associated with malicious activity
$ip1 = “209.85.147.147”
$ip2 = “209.85.147.106”
$ip3 = “209.85.147.99”
$ip4 = “209.85.146.147”
$ip5 = “209.85.146.106”
condition:
any of ($cve*) or any of ($domain*) or any of ($ip*)
}

Recommendations Strategic

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management

  • Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
  • Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening the defence based on the tactical intelligence provided.
  • For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
  • Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
  • Apply security measures to detect unauthorized activities, protect sensitive production, and process control systems from cyberattacks.
  • Add the YARA rule for threat detection and monitoring, which will help to detect anomalies in log events, identify, and monitor suspicious activities.

3. Major Geopolitical Developments in Cybersecurity

Chinese cyberespionage targets diplomats in Southeast Asia
Earlier this year, a cyber-espionage campaign targeted Southeast Asian diplomats, likely supporting China’s strategic interests, according to researchers. The attacks, attributed to the China-linked UNC6384 group, used social engineering and malware disguised as software updates. About two dozen victims, potentially including government officials or contractors, downloaded the malware, while China’s Ministry of Foreign Affairs denied awareness of the issue.

ETLM Assessment:
The findings heighten US-China cybersecurity tensions, following previous reports of Chinese state-sponsored hackers exploiting software flaws and Beijing’s claims of US cyberattacks on Chinese military firms. The hackers breached Wi-Fi networks to trick diplomats into downloading SOGU.SEC malware, disguised as Adobe plug-ins, which were installed in device memory to evade detection. According to the researchers, sensitive diplomatic documents were likely accessible, though the extent of data loss remains unclear. This cyber-espionage campaign, targeting Southeast Asian diplomats with social engineering and malware to access sensitive documents, exemplifies standard government-backed tactics to covertly gather strategic intelligence, which has been heavily utilized by China in recent years, with many more similar campaigns likely underway at the same time.

Chinese Salt Typhoon APT hacked more than 80 countries
A years-long cyber-espionage campaign linked to Beijing, initially thought to target U.S. telecoms and Donald Trump’s phone calls, impacted over 80 countries, compromising millions of call records and potentially tracking U.S. citizens’ movements globally, according to the FBI cyber unit. The “Salt Typhoon” operation, active since at least 2019 but uncovered last year, accessed sensitive U.S. customer data, private communications, law-enforcement systems used for court-authorized wiretapping, and technical network details, raising significant national security concerns. Described as a highly damaging operation, it breached major U.S. carriers like Verizon, AT&T, and T-Mobile, with varying degrees of success, and targeted networks globally for intelligence aggregation beyond typical espionage norms. Beijing denies involvement, claiming the U.S. lacks evidence and accusing it of fabricating claims. The FBI, alongside international partners, has contained much of the activity, issuing a memo with technical details to help companies detect the hackers, who exploited known software and device vulnerabilities, including routers.

ETLM Assessment:
U.S. officials describe the breach as a damaging and well-executed espionage operation by Beijing, and investigators now believe the activity was broader and more indiscriminate than previously understood, and beyond what countries usually understand to be espionage, Leatherman said. The activity potentially allowed Chinese spies to use cell phone geolocation data to track Americans’ movements, including outside the country. One of the facts that points to a large-scale coordinated operation is that the hackers got into networks by exploiting a range of known vulnerabilities in software and devices connected to the networks, including routers. China is deploying significant resources to conduct sophisticated, global cyber-espionage campaigns of which Salt Typhoon is just one example.

4. Rise in Malware/Ransomware and Phishing

Qilin Ransomware Impacts DAOR E&C Co., Ltd

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: South Korea
  • Ransomware: Qilin Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from South Korea, DAOR E&C Co., Ltd(http[:]//www[.]daorenc[.]com), was compromised by Qilin Ransomware. DAOR E&C Co., Korea, is a company engaged in the production and construction of concrete structures: concrete bridges, large cable-stayed bridges, liquefied natural gas tanks, underground tunnels, and heavy lifting structures. The leaked data reportedly contains over 400 GB of internal company information, including proprietary designs regarded as trade secrets. It also exposes the personal details of all DAOR E&C Co. employees, including top management and the CEO—such as names, home addresses, phone numbers, email addresses, and bank account information. Additionally, the dataset includes plans and technical drawings for hundreds of completed projects, with schematics of bridges, tunnels, and liquefied natural gas (LNG) tanks now publicly accessible. This highly sensitive information should remain confidential, as it holds significant value and potential interest to foreign entities.

Source: Dark Web

Relevancy & Insights:

  • The Qilin Ransomware group primarily targets countries such as the United States of America, Canada, France, the United Kingdom, and Italy.
  • The Qilin Ransomware group primarily targets industries, including Manufacturing, Professional Goods & Services, Healthcare, Information Technology, and Consumer Goods & Services.
  • Based on the Qilin Ransomware victims list from 1st Jan 2025 to 03rd September 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries most affected by the Qilin Ransomware victims list from 1st Jan 2025 to 03rd September 2025 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and focus on speed and evasion, make it a particularly dangerous actor.

Lynx Ransomware Impacts HK Hardware & Engineering

  • Attack Type: Ransomware
  • Target Industry: Construction Materials / Hardware Supply & Engineering Services
  • Target Geography: Singapore
  • Ransomware: Lynx Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Singapore, HK Hardware & Engineering(https[:]//www[.]hkhardware[.]com[.]sg/), was compromised by Lynx Ransomware. H.K. Hardware Engineering Pte Ltd is a one-stop industrial supplier for the marine offshore sector, offering a wide range of products, including cutting discs, abrasive materials, building materials, hand tools, and safety products. The compromised data includes financial documents, purchase and sale deed bills, along with other confidential and sensitive information pertaining to the organization.

Source: Dark Web

Relevancy & Insights:

  • The Lynx Ransomware is confirmed to use a hybrid encryption approach, with AES-128 in CTR mode for fast file encryption and Curve25519 Donna for robust asymmetric key exchange, ensuring files are only recoverable with the attacker’s private key.
  • Lynx provides a comprehensive platform for affiliates, including tools for managing victims, negotiating ransoms, and sharing access with sub-affiliates.
  • The Lynx Ransomware group primarily targets countries such as the United States of America, Singapore, the United Kingdom, Germany, and Italy.
  • The Lynx Ransomware group primarily targets industries, including Professional Goods & Services, Manufacturing, Consumer Goods & Services, Information Technology, and Real Estate & Construction.
  • Based on the Lynx Ransomware victims list from 1st Jan 2025 to 03rd September 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries most affected by the Lynx Ransomware victims list from 1st Jan 2025 to 03rd September 2025 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Lynx ransomware has emerged as a significant threat in the cybersecurity landscape, leveraging advanced encryption and double extortion tactics to target small and medium-sized businesses. Its structured affiliate program and versatile ransomware toolkit make it a formidable force in the RaaS ecosystem.

5. Vulnerabilities and Exploits

Vulnerability in ISC Kea

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server applications
  • Vulnerability: CVE-2025-40779
  • CVSS Base Score: 7.5 Source
  • Vulnerability Type: Reachable assertion
  • Summary: The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights:
The vulnerability exists due to a reachable assertion when handling DHCP packets. A remote attacker can send a request with some specific options, and if Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure.

Impact:
A remote attacker can perform a denial-of-service attack.

Affected Products:
https://kb[.]isc[.]org/docs/cve-2025-40779

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerabilities in ISC Kea, an open-source DHCP server developed by the Internet Systems Consortium (ISC), can pose significant risks to network environments.

Exploitation could allow attackers to cause denial of service (DoS), manipulate DHCP leases, or potentially execute arbitrary code, impacting IP address management and network availability.

6. Latest Cyber-Attacks, Incidents, and Breaches

Sinobi Ransomware attacked and published the data of Harmony Electronics Corp

  • Threat Actor: Sinobi Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing
  • Target Geography: Taiwan
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that Sinobi Ransomware attacked and published the data of the Harmony Electronics Corp (https[:]//www[.]hele[.]com[.]tw/) on its dark web website. Harmony Electronics Corp is engaged in the manufacture of quartz frequency components. The Company’s main products include quartz crystals, quartz filters, and crystal oscillators. Its quartz crystals are applied to computer peripherals, communication devices, household electronics, automobiles, and others. The data leak, following the ransomware attack, encompasses sensitive and confidential records originating from the organizational database.

Source: Dark Web

Relevancy & Insights:

  • Sinobi Ransomware is a ransomware threat first observed in 2025, suspected to be a rebrand or splinter of the Lynx Ransomware group.
  • Sinobi ransomware uses a combination of Curve-25519 Donna and AES-128- CTR encryption, a technique also seen in high-profile ransomware like Babuk, making file recovery virtually impossible without the attacker’s private key.

ETLM Assessment:
According to CYFIRMA’s assessment, Sinobi Ransomware represents a new, persistent threat in the ransomware landscape, capable of disruptive attacks on both enterprises and mid-sized organizations.

7. Data Leaks

Qatari E-commerce Platform Albazaar Shop’s Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: E-commerce
  • Target Geography: Qatar
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed that a threat actor “N1KA” has allegedly leaked a database belonging to Albazaar[.]shop, a popular Qatar-based online store specializing in Middle Eastern-themed products and home decor. The data was published on a notorious cybercrime forum and is said to contain over 12,700 rows of sensitive customer and order information. Albazaar[.]shop is a significant e- commerce platform within the region, and this alleged breach poses a serious privacy risk to its customer base.

The compromised database allegedly exposes a variety of personal and transactional details. According to the information shared by the threat actor, the leak contains specific data points that could be used by malicious actors for phishing campaigns, identity theft, or other forms of fraud. Customers of the platform are advised to be vigilant and monitor their accounts for any suspicious activity.

The leaked data allegedly includes:

  • Customer Names
  • Billing and Shipping Addresses
  • Email Addresses
  • Shipping and Payment Method Information
  • Order Details (e.g., Grand Total, Currency Code, Order Status)

Source: Underground Forums

Philippine Civil Service Commission (CSC) Data Advertised on a Leak Site

  • Attack Type: Data leak
  • Target Industry: Government
  • Target Geography: Philippines
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team has identified that a threat actor has allegedly breached the Civil Service Commission (CSC) of the Philippines and is attempting to sell the stolen data on a dark web forum. The CSC is a highly important government body, acting as the central personnel agency for the entire Philippine government. It is responsible for the policies, plans, and programs that affect all civil service employees across the nation. The alleged breach reportedly exposes the sensitive information of 76,718 unique users, placing a significant number of government workers at risk.

Information also appears to contain detailed feedback from training sessions, further exposing personal opinions and internal data.

The data allegedly includes the following:

  • Enrollee ID
  • Full Name and Suffix
  • Status
  • Email
  • Sex
  • Position and Position Level
  • Name of Agency/Office
  • Contact Number
  • Sector
  • Nature of Employment
  • Organizational Role

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor identified as “N1KA” has recently gained attention as a highly active group specializing in data leaks. Reliable sources have connected the group to multiple security breaches involving unauthorized system access and the attempted sale of exfiltrated data on dark web marketplaces. N1KA’s ongoing operations highlight the evolving and persistent nature of cyber threats emerging from underground forums. These incidents underscore the critical importance for organizations to strengthen their cybersecurity posture through continuous monitoring, advanced threat intelligence, and proactive defense strategies to protect sensitive data and infrastructure.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed that a threat actor has allegedly put administrative access to an unnamed cryptocurrency exchange up for sale on a cybercrime forum. The seller is asking for $5,000 in exchange for what is described as “API-level administrative access.” The specific identity of the crypto exchange has not been disclosed, leaving the industry on high alert as the potential victim could be any number of platforms operating globally. The anonymity of the victim makes it difficult for customers to take precautionary measures.

The type of access being sold poses a significant and severe threat. API-level administrative privileges could potentially allow a malicious actor to execute unauthorized trades, withdraw funds from user accounts, access sensitive customer data, and manipulate market data on the platform. Such a breach would be catastrophic for the exchange and could lead to devastating financial losses for its clients. The incident underscores the persistent targeting of the digital asset industry by cybercriminals seeking to exploit vulnerabilities for financial gain.

Source: Underground Forums

The CYFIRMA Research team has identified that a threat actor is allegedly offering live access to the core infrastructure of AT&T, a leading American multinational telecommunications company headquartered in Dallas, Texas. AT&T, one of the largest telecommunications providers in the United States, delivers mobile and fixed-line services to millions of customers. According to the seller, they have established a persistent presence within the company’s Tier 1 infrastructure, with interactive read/write access to a database containing data of approximately 24 million active subscribers. Such access could reportedly allow the actor to perform SIM swaps and intercept One-Time Passwords (OTPs), creating a significant security threat to impacted customers.

According to the post on a dark web forum, the threat actor has maintained their presence within AT&T’s systems for over three weeks without being detected. As proof of their claims, they shared a screenshot of what appears to be a database management tool showing subscriber data. The actor emphasized that this is not a static data leak but a live, interactive system with real-time synchronization, which they are offering for sale for $100,000 in Bitcoin. The exposed data fields allegedly include:

  • Phone Number
  • Device Type (iPhone/Android)
  • Registration Date
  • Last Activity Date
  • Account Status

Source: Underground Forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.