
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Target Countries: Brazil, India, Paraguay, Turkey
Target Industries: Financial Services, Manufacturing, Retail & E-Commerce, Technology
Introduction:
CYFIRMA Research and Advisory Team has found Doommageddon Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Doommageddon Ransomware
Doommageddon is a ransomware family that encrypts files on compromised systems using asymmetric cryptographic algorithms and appends a new extension to each affected file while preserving the original filename. After encryption is complete, it creates a text-based ransom note claiming that the files can only be recovered with a unique private key controlled by the attackers. The note instructs victims to establish contact through a secure communication channel, provide an assigned victim identifier, and avoid modifying encrypted files or attempting recovery through third-party utilities. Top of Form Bottom of Form

Screenshot: File encrypted by the ransomware (Source: Surface Web)
Ransomware drops a ransom note named README_DECRYPT.txt, which informs victims that their files have been encrypted and claims that recovery is only possible with a private decryption key controlled by the attackers. The note instructs victims to establish contact through a secure communication channel, provide a unique victim identifier, and warns against modifying encrypted files or attempting recovery with third-party tools, stating that such actions may permanently damage the encrypted data.

Screenshot: The appearance of Doommageddon’s ransom note (README_DECRYPT.txt) (Source: Surface Web)

Screenshot: The appearance of Doommageddon’s DLS site
Beyond file encryption, Doommageddon employs a double-extortion model by leveraging a hidden data leak portal to pressure victims into paying a ransom. The portal categorizes victims according to the progress of negotiations or data disclosure and displays information such as countdown timers and the volume of compromised files. This approach combines data encryption with the threat of exposing stolen information, increasing the operational and reputational impact on affected organizations. Removing Doommageddon from an infected system is necessary to prevent further encryption activity or potential lateral movement across connected environments, although malware removal alone does not restore encrypted data. Recovery generally depends on the availability of clean offline or remote backups, as encrypted files cannot typically be recovered without the corresponding decryption key.
The following are the TTPs based on the MITRE ATT&CK Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Execution | T1574 | Hijack Execution Flow |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
|
Privilege Escalation |
T1055 | Process Injection |
|
Privilege Escalation |
T1543.003 | Create or Modify System Process: Windows Service |
|
Privilege Escalation |
T1548 | Abuse Elevation Control Mechanism |
|
Credential Access |
T1003 | OS Credential Dumping |
| Discovery | T1007 | System Service Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1518 | Software Discovery |
| Collection | T1005 | Data from Local System |
|
Command and Control |
T1090 | Proxy |
| Impact | T1489 | Service Stop |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1036 | Masquerading |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1497 | Virtualization/Sandbox Evasion |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1574 | Hijack Execution Flow |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA assesses that Doommageddon is likely to continue maturing as a ransomware operation by enhancing both its technical capabilities and operational efficiency. Future variants may incorporate improved defense-evasion techniques, stronger persistence mechanisms, and greater automation to accelerate encryption and reduce the time between initial compromise and payload execution. The operators may also refine their deployment methods to better support attacks across diverse enterprise environments, increasing the scale and effectiveness of campaigns while minimizing opportunities for early detection and response.
The group’s apparent reliance on combining data theft with file encryption suggests that future campaigns could further strengthen their double-extortion strategy through more sophisticated victim management and expanded leak-site functionality. This may include more structured negotiation workflows, enhanced presentation of stolen data, and additional methods of applying pressure throughout the extortion process. As the ransomware landscape continues to evolve, operations of this nature are expected to become more organized, adaptable, and operationally resilient, enabling threat actors to conduct campaigns with greater consistency while maximizing disruption and increasing the likelihood of successful extortion.
Sigma rules:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Trojan
Objectives: Espionage
Target Technology: Windows
Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “BrunoStealer” is in focus.
Overview of the operation BrunoStealer Malware
The analyzed BrunoStealer malware sample exhibits multiple characteristics commonly associated with a Trojan and demonstrates a combination of execution, reconnaissance, defense evasion, and network communication capabilities. Rather than performing overtly destructive actions immediately, the malware appears to focus on establishing execution, gathering system intelligence, and preparing the environment for potential follow-on activities. This behavior indicates a well-structured threat designed to operate discreetly while minimizing the likelihood of early detection. During execution, the malware leveraged legitimate Windows components to load and execute its malicious payload, a technique frequently used to blend malicious activity with normal system operations. It also employed obfuscation and software packing mechanisms, along with environment-awareness checks, to complicate static and dynamic analysis. These capabilities highlight an emphasis on evading security controls and delaying detection during execution.
The sample conducted extensive host reconnaissance by collecting information about the operating system, user accounts, network configuration, file system, and installed security-related components. Such discovery activities enable the malware to better understand the compromised environment, identify valuable targets, and determine appropriate actions based on the characteristics of the infected host. This intelligence-gathering phase is often a precursor to additional malicious activities.
In addition, the malware established outbound network communication over HTTP and accessed external services to obtain host-related information, including public IP and geolocation data. The observed communication capabilities indicate support for exchanging data with remote infrastructure, suggesting the potential for command-and-control interactions. Taken together, execution, evasion, reconnaissance, and communication behaviors demonstrate that the sample poses a significant security risk and should be considered a credible threat requiring immediate containment and remediation.
Attack Method
The infection begins with the execution of a malicious DLL through the Windows utility rundll32.exe, allowing the payload to run under the context of a trusted Microsoft binary. The sample also invokes loaddll64.exe during execution, indicating an additional stage for loading or testing the DLL. By relying on legitimate Windows executables instead of a standalone malicious process, the malware reduces its behavioral footprint and attempts to evade security products that primarily monitor unknown binaries. The use of runtime linking and shared modules further obscures its execution flow and complicates reverse engineering.
Once active, the malware performs a comprehensive reconnaissance phase to profile the compromised host. It enumerates operating system details, hostname, logged-in user, network configuration, available memory, file attributes, directory contents, and installed security-related components. The sample also queries multiple registry locations associated with Windows configuration, compatibility settings, and execution policies. These discovery operations enable malware to identify the characteristics of the target environment, determine whether it is running inside an analysis platform, and tailor its subsequent behavior accordingly.
To resist detection, the malware incorporates multiple defense evasion mechanisms. The executable is protected using software packing and obfuscation techniques, while also performing virtualization and sandbox detection checks before continuing execution. It references analysis tool strings, checks for known sandbox usernames or hostnames, and dynamically resolves Windows API functions at runtime instead of relying solely on static imports. These techniques collectively reduce the visibility of the malware during both static inspection and automated behavioral analysis, increasing the likelihood of successful execution on a victim system.
Following host profiling, the malware establishes outbound HTTP communication using the WinINet API. It creates HTTP requests, connects to remote servers, and supports both data transmission and response retrieval, enabling two-way communication with external infrastructure. During execution, the sample was observed querying an external IP geolocation service to obtain the victim’s public IP address and geographic information, while also containing a hardcoded Discord webhook URL that can facilitate remote data exfiltration or operator notifications. The combination of trusted process execution, extensive reconnaissance, anti-analysis capabilities, and external communication demonstrates a structured attack chain designed to support persistent command-and-control operations and the delivery of malicious activities.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises
| Tactic | Technique ID | Technique Name |
| Execution | T1129 | Shared Modules |
| T1574 | Hijack Execution Flow | |
| Stealth | T1027 | Obfuscated Files or Information |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| T1218 | System Binary Proxy Execution | |
| T1497 | Virtualization/Sandbox Evasion | |
| Discovery | T1016 | System Network Configuration Discovery |
| T1033 | System Owner/User Discovery | |
| T1518.001 | Software Discovery: Security Software Discovery | |
| T1082 | System Information Discovery | |
| T1083 | File and Directory Discovery | |
| T1087 | Account Discovery | |
| T1614 | System Location Discovery | |
| Command and control | T1071 | Application Layer Protocol |
INSIGHTS
The malware demonstrates a deliberate emphasis on remaining inconspicuous rather than exhibiting immediate destructive behavior. Instead of triggering actions that would quickly attract attention, it prioritizes understanding of the host environment and operating within the context of legitimate Windows processes. This measured approach reflects an objective of maintaining a low operational profile while carrying out its activities.
Another notable aspect is the malware’s reliance on native operating system functionality instead of introducing numerous custom components onto the compromised system. By utilizing built-in Windows mechanisms for execution and communication, the sample minimizes the number of artifacts it leaves behind. This approach makes malicious activity appear more consistent with normal system behavior, increasing the challenge of distinguishing legitimate operations from malicious ones during routine monitoring.
The overall activity observed during execution suggests a modular design in which individual capabilities, including execution, host profiling, evasion, and network communication, are integrated into a coordinated workflow. Rather than relying on a single malicious capability, the sample combines multiple functions to achieve its objectives while maintaining operational flexibility. This layered behavior highlights the importance of evaluating malware based on the complete sequence of actions instead of isolated indicators or individual events.
ETLM ASSESSMENT
For ETLM, prospects indicate that malware employing stealth-oriented execution and trusted system components is likely to remain a persistent threat as organizations continue adopting hybrid work environments, cloud-based services, and increasingly interconnected enterprise infrastructures. Future campaigns are expected to focus on maintaining a low operational profile while gathering valuable organizational information and establishing covert communication channels that can support broader malicious objectives. As a result, enterprises may face increased risks of unauthorized access, data compromise, and operational disruption that are difficult to detect during the early stages of an intrusion, while employees could become more frequent targets through seemingly legitimate files and applications that exploit routine business activities to gain an initial foothold within corporate environments.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule Trojan_DLL_Discord_Webhook_IPAPI
{
meta:
description = “Detects a DLL-based Trojan using Discord webhook and IP-API for host profiling”
author = “CYFIRMA” date = “2026-07-06”
strings:
/* Sample Hash */
$hash1 =
“c8525c9380f5c3d9d5c66e101120fee50c3e4a80d0981507d300b33a6cafb208”
/* Network Indicators */
$s1 = “discord.com/api/webhooks/”
$s2 = “ip-api.com/line/?fields=query”
$s3 = “discord.com”
$s4 = “ip-api.com”
/* Windows Execution */
$s5 = “rundll32.exe”
$s6 = “loaddll64.exe”
$s7 = “WININET.dll”
/* WinINet APIs */
$api1 = “InternetConnect”
$api2 = “HttpOpenRequest”
$api3 = “HttpSendRequest”
$api4 = “InternetReadFile”
/* Anti-analysis */
$anti1 = “VirtualBox”
$anti2 = “VMware”
$anti3 = “sandbox”
condition:
uint16(0) == 0x5A4D and (
$hash1 or
(all of ($s1, $s2) and 2 of ($api*)) or (3 of ($s*) and 2 of ($api*)) or
(2 of ($anti*) and 2 of ($api*))
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
North Korean Threat Actor Broadens Supply Chain Operations
About the Threat Actor
Lazarus Group is a sophisticated North Korean state-sponsored threat actor that has been active since at least 2009 and is widely believed to operate on behalf of the DPRK government. Known as Hidden Cobra by the U.S. government, the group is reportedly associated with Lab 110, a unit of North Korean military intelligence. Lazarus is recognized for its advanced malware development capabilities, continuously evolving its tools and techniques to support cyber espionage and financially motivated operations, particularly targeting cryptocurrency organizations in recent years. The group has conducted high-profile attacks against the South Korean government and politically significant organizations, Bangladesh Bank, Sony Pictures Entertainment, and various U.S.-based entities. It is believed to comprise multiple subgroups, including Andariel, which primarily targets the South Korean government and organizations, and Bluenoroff, which focuses on financial theft and global espionage campaigns. Lazarus has been linked to several notable operations, including Operation Troy, DarkSeoul, the Sony Pictures attack, SWIFT-related bank heists, and WannaCry. Furthermore, UNC1069 is suspected of sharing infrastructure overlaps with Bluenoroff, a sub-affiliate of the Lazarus Group.
TTPs based on MITRE ATT&CK Framework

TTPs based on the MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1591 | Gather Victim Org Information |
| Reconnaissance | T1591.004 | Gather Victim Org Information: Identify Roles |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1593.001 | Search Open Websites/Domains: Social Media |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1587.002 | Develop Capabilities: Code Signing Certificates |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Resource Development | T1583.004 | Acquire Infrastructure: Server |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services |
| Resource Development | T1584.001 | Compromise Infrastructure: Domains |
| Resource Development | T1584.004 | Compromise Infrastructure: Server |
| ResourceDevelopment | T1585.001 | Establish Accounts: Social Media Accounts |
| ResourceDevelopment | T1585.002 | Establish Accounts: Email Accounts |
| ResourceDevelopment | T1588.002 | Obtain Capabilities: Tool |
| ResourceDevelopment | T1588.003 | Obtain Capabilities: Code Signing Certificates |
| ResourceDevelopment | T1588.004 | Obtain Capabilities: Digital Certificates |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Initial Access | T1078 | Valid Accounts |
| Initial Access | T0865 | Spear phishing Attachment |
| Initial Access | T1566.003 | Phishing: Spear phishing via Service |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1106 | Native API |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Execution | T1574.013 | Hijack Execution Flow: KernelCallbackTable |
| Persistence | T1505.004 | Server Software Component: IIS Components |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1078 | Valid Accounts |
| Persistence | T1098 | Account Manipulation |
| Persistence | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1098 | Account Manipulation |
| Privilege Escalation | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1055.001 | Process Injection: Dynamic-link Library Injection |
| Privilege Escalation | T1078 | Valid Accounts |
| Privilege Escalation | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1218 | System Binary Proxy Execution |
| Stealth | T1218.005 | System Binary Proxy Execution: Mshta |
| Stealth | T1218.010 | System Binary Proxy Execution: Regsvr32 |
| Stealth | T1218.011 | System Binary Proxy Execution: Rundll32 |
| Stealth | T1620 | Reflective Code Loading |
| Stealth | T1070 | Indicator Removal |
| Stealth | T1070.003 | Indicator Removal: Clear Command History |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1036.003 | Masquerading: Rename Legitimate Utilities |
| Stealth | T1036.004 | Masquerading: Masquerade Task or Service |
| Stealth | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Stealth | T1036.008 | Masquerading: Masquerade File Type |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1027.007 | Obfuscated Files or Information: Dynamic API Resolution |
| Stealth | T1027.009 | Obfuscated Files or Information: Embedded Payloads |
| Stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| Stealth | T1220 | XSL Script Processing |
| Stealth | T1497.003 | Virtualization/Sandbox Evasion: Time-Based Evasion |
| Stealth | T1622 | Debugger Evasion |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Stealth | T1684.001 | Social Engineering: Impersonation |
| Stealth | T1221 | Template Injection Authentication Process: Conditional Access Policies |
| Stealth | T1574.001 | Hijack Execution Flow: DLL |
| Stealth | T1574.013 | Hijack Execution Flow: KernelCallbackTable |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1078 | Valid Accounts |
| DefenseImpairment | T1686.003 | Disable or Modify System Firewall: Windows Host Firewall |
| DefenseImpairment | T1685 | Disable or Modify Tools |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1110.003 | Brute Force: Password Spraying |
| Credential Access | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1497.003 | Virtualization/Sandbox Evasion: Time-Based Evasion |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1046 | Network Service Discovery |
| Discovery | T1622 | Debugger Evasion |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1614.001 | System Location Discovery: System Language Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1680 | Local Storage Discovery |
| Discovery | T1124 | System Time Discovery |
| LateralMovement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| LateralMovement | T1021.001 | Remote Services: Remote Desktop Protocol |
| LateralMovement | T1021.004 | Remote Services: SSH |
| LateralMovement | T1534 | Internal Spear phishing |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1560 | Archive Collected Data |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1560.002 | Archive Collected Data: Archive via Library |
| Collection | T1560.003 | Archive Collected Data: Archive via Custom Method |
| Collection | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Collection | T1005 | Data from Local System |
| Collection | T1074.001 | Data Staged: Local Data Staging |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1001.003 | Data Obfuscation: Protocol or Service Impersonation |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| Command and Control | T1090.001 | Proxy: Internal Proxy |
| Command and Control | T1090.002 | Proxy: External Proxy |
| Command and Control | T1104 | Multi-Stage Channels |
| Command and Control | T1008 | Fallback Channels |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1102.002 | Web Service: Bidirectional Communication |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
| Impact | T1561.001 | Disk Wipe: Disk Content Wipe |
| Impact | T1561.002 | Disk Wipe: Disk Structure Wipe |
| Impact | T1489 | Service Stop |
| Impact | T1485 | Data Destruction |
| Impact | T1529 | System Shutdown/Reboot |
| Impact | T1491.001 | Defacement: Internal Defacement |
Latest Developments Observed
The threat actor is suspected of expanding the PolinRider supply chain campaign beyond npm into Go Modules, Packagist, and Chrome extensions by compromising legitimate GitHub repositories and maintainer accounts. The campaign appears aimed at compromising developer environments to deliver malware and steal credentials, browser data, and cryptocurrency wallet information.
ETLM Insights
Lazarus Group continues to exhibit a mature and adaptive operational model centered on exploiting trusted software development ecosystems to facilitate strategic access, intelligence collection, and financially motivated operations. The group’s evolving tradecraft reflects a deliberate emphasis on abusing trusted software supply chains and legitimate development infrastructure to achieve scalable downstream compromise while preserving operational stealth and resilience.
The threat actor’s operations reflect:
Looking ahead, Lazarus Group is expected to further mature its software supply chain capabilities by strengthening operational resilience, expanding abuse of trusted development platforms, and refining stealth-oriented intrusion methodologies. This continued evolution reinforces the group’s ability to conduct large-scale compromises through trusted software ecosystems, posing a sustained threat to organizations that depend on open-source software, modern DevOps practices, and interconnected software supply chains.
YARA Rules
rule Lazarus_PolinRider_Generic_Hunt
{
meta:
author = “CYFIRMA”
description = “Generic hunting rule for Lazarus PolinRider campaign” date = “2026-07-07”
threat_actor = “Lazarus Group” campaign = “PolinRider” confidence = “Low”
strings:
$s1 = “nwv3u.exe” ascii nocase
$s2 = “/scratch/zoo/2026/0522/” ascii
$s3 = “check02id.com” ascii nocase
$s4 = “uti98.com” ascii nocase
$s5 = “2no.co” ascii nocase
$s6 = “uw04webzoom.us” ascii nocase
$s7 = “tronracing.com” ascii nocase
$ip1 = “208.91.197.27” ascii
$ip2 = “94.191.24.214” ascii
$ip3 = “139.59.27.154” ascii
$ip4 = “104.223.98.2” ascii
$ip5 = “104.223.97.2” ascii
condition:
uint16(0) == 0x5A4D and 3 of ($s*) and
any of ($ip*)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
US Homeland Security Hacked
The U.S. Department of Homeland Security (DHS) is investigating a recent cyberattack on its Homeland Security Information Network (HSIN). The breached platform is a critical database used to share sensitive data among federal, state, local, and private-sector partners. The intruders supposedly targeted both HSIN servers and a collaborative SharePoint system sometime between late May and early June.
ETLM Assessment:
While the identity and affiliation of the hackers remain unknown, the operation would coincide with previous Chinese and Russian efforts. The focus on the HSIN – a database built specifically for unclassified but highly sensitive cross-agency coordination – mirrors previous state-sponsored campaigns aimed at gathering strategic intelligence rather than just causing immediate chaos. This campaign aligns with long-standing espionage efforts designed to map out vulnerability networks, response procedures, and interagency friction points. Accessing these collaborative systems provides adversaries with a blueprint of Western defensive readiness, similar to past DNS hijacking and sophisticated backdoor campaigns (such as those utilizing POWERSTATS or RustyWater).
Krybit Ransomware Impacts a Retail — Furniture and Home Furnishings Company from Malaysia
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Malaysia was compromised by Krybit Ransomware. The Compromised company is a Malaysian furniture retailer and home lifestyle solutions provider that offers a broad range of residential and commercial furniture, home décor, and interior design services. The company has evolved from a traditional furniture retailer into a one-stop furniture megamall with both physical showrooms and an online store. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 400 GB.

Source: Dark Web
Relevancy & Insights:

ETLM Assessment:
According to CYFIRMA’s assessment, Krybit represents a persistent, financially motivated Ransomware-as-a-Service (RaaS) and data extortion threat that leverages an opportunistic affiliate-driven operational model to maximize pressure on victims. Although the group functions via external threat actors incentivized by lucrative profit-sharing structures, its targeted deployment of custom malware suites across corporate environments highlights the critical importance of robust identity security, continuous network monitoring, timely vulnerability remediation, and rigorous data loss prevention measures to detect, contain, and mitigate potential ransomware extortion attacks.
The Gentlemen Ransomware Impacts a Consumer Goods – Health & Beauty company from Japan
Summary: CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Japan was compromised by The Gentlemen Ransomware. The compromised company is a major Japanese health and beauty company renowned for its dietary supplements, skincare, and cosmetics. The brand is especially famous for its olive oil-based beauty products and high-quality, affordable nutritional supplements. The company serves as a primary hub for consumers to purchase their popular health, wellness, and beauty essentials. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web
Relevancy & Insights:


ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in BIOVIA Workbook
Relevancy & Insights:
The vulnerability exists due to a race condition
Impact:
A remote user can exploit the race and gain unauthorized access to sensitive information of other application users.
Affected Products:
https[:]//www[.]3ds[.]com/trust-center/security/security-advisories/cve-2026-5120
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in BIOVIA Workbook introduces significant risks to organizations that rely on scientific data management and laboratory informatics platforms to support research, development, and regulated laboratory operations. As BIOVIA Workbook is widely used across pharmaceutical, biotechnology, chemical, and life sciences organizations to manage experimental data, research workflows, and laboratory records, exploitation of this vulnerability could allow unauthorized access to sensitive scientific information belonging to other users. A successful attack may expose confidential research data, compromise intellectual property, and impact the integrity of laboratory operations and collaborative research environments. Organizations leveraging BIOVIA Workbook should ensure timely application of security updates, continuously monitor user activities, and implement robust access control and auditing mechanisms to reduce the risk of unauthorized data access. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and security of scientific research data and enterprise laboratory management environments.
Qilin Ransomware attacked and published the data of a Food & Beverage company from Thailand
Summary:
Recently, we observed that Qilin Ransomware attacked and published the data of a Food & Beverage company from Thailand on its dark web website. The compromised company is a Thailand-based food and beverage company. The company specializes in the production, marketing, and distribution of edible oils, palm oil-based products, margarine, shortening, specialty fats, and processed food products for both retail consumers and industrial customers. Based on the preview shown in the image, the ransomware attack appears to have compromised internal corporate documents, including business forms, financial records, invoices, accounting statements, operational documents, and other confidential organizational records.

Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and a focus on speed and evasion, make it a particularly dangerous actor.
Unauthorised Manufacturing Database Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large volume of data allegedly originating from a South Korean manufacturing organization operating in the energy storage systems (ESS) and automotive components sector. According to the advertisement, the seller claims to possess multiple recent system backups, database dumps, and human resources-related files extracted from the organization’s internal environment.
Based on the information shared in the forum post, the allegedly exposed data may include:
According to the advertisement, sample files and screenshots have been published as proof of possession, while the complete dataset is being offered for sale on a cybercrime forum. The post claims that the data consists of multiple backup archives and database dumps collected from internal enterprise systems.
If verified, exposure of this information could significantly impact the affected organization. Threat actors may exploit the leaked data to conduct targeted phishing campaigns, business email compromise (BEC), identity-based attacks, industrial espionage, unauthorized access to corporate systems, credential harvesting, extortion, and follow-on cyberattacks. Exposure of internal databases, HR information, and operational records may also facilitate supply chain attacks, intellectual property theft, and further compromise of critical business infrastructure.
This incident highlights the continued risk posed by unauthorized exposure of enterprise backup repositories and internal databases. Organizations should strengthen privileged access management, enforce multi-factor authentication, secure backup infrastructure, encrypt sensitive data at rest, continuously monitor privileged accounts, implement network segmentation, conduct regular security assessments, and maintain proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the forum advertisement and has not been independently confirmed.

Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor known is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large database allegedly originating from a healthcare organization in India. According to the forum advertisement, the seller claims to possess separate patient and employee databases containing millions of healthcare records and organizational information. The advertisement states that sample records have been published as proof of possession, while the complete dataset is being offered for sale through an escrow-based transaction.
Based on the information shared in the forum post, the allegedly exposed dataset may contain the following information:
According to the advertisement, the seller claims the patient database contains over 2 million records, with a sample consisting of approximately 1.09 million entries, while the employee database reportedly contains approximately 10,000 records. The complete dataset is advertised for sale through an escrow service, with sample data made available to demonstrate authenticity.
If verified, the exposure of this information could present significant risks to affected individuals and the organization. Cybercriminals may leverage the disclosed data to conduct identity theft, medical identity fraud, targeted phishing campaigns, social engineering attacks, insurance fraud, business email compromise (BEC), credential-based attacks, and other malicious activities. The compromise of employee information may further facilitate unauthorized access attempts, insider targeting, and follow-on attacks against healthcare infrastructure.
This incident highlights the ongoing risks associated with unauthorized exposure of healthcare databases containing sensitive patient and employee information. Organizations should strengthen identity and access management, implement multi-factor authentication, encrypt sensitive medical records, continuously monitor privileged accounts, conduct regular security assessments, deploy network segmentation, maintain secure backup practices, and enhance threat intelligence capabilities to reduce the likelihood and impact of similar incidents. Protecting healthcare information remains critical for ensuring patient privacy, regulatory compliance, and operational resilience.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the forum advertisement and has not been independently confirmed.

Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.





For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.