CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Introduction:
CYFIRMA Research and Advisory Team has found GodDamn Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
GodDamn Ransomware
Researchers identified GodDamn as a ransomware variant that encrypts files on compromised systems and modifies affected filenames by appending a victim-specific identifier enclosed in brackets, followed by the “.God8Damn” extension. As a result, encrypted files remain recognizable by their original names but become inaccessible due to the added extension and underlying encryption. Following the encryption routine, the malware generates a ransom note named “README.TXT” containing instructions for the victim.
Screenshot: File encrypted by the ransomware (Source: Surface Web)
The ransom note informs victims that their data has been encrypted and directs them to establish contact with the threat actors to obtain recovery instructions. To encourage rapid communication, the operators advertise a reduced decryption cost for victims who make contact within a limited timeframe after the attack. Multiple communication channels are provided, including email addresses and a messaging platform identifier, enabling direct interaction between the victim and the attackers.
Screenshot: The appearance of the GodDamn’s Ransom Note (README.txt) (Source: Surface Web)
The ransomware’s primary objective is to deny access to stored data and pressure victims into negotiating for file recovery. Its file-renaming convention combines a unique victim identifier with a custom extension, allowing encrypted data to be easily associated with a specific incident. The presence of a dedicated ransom note and multiple communication methods indicates a structured extortion workflow designed to facilitate victim engagement following successful encryption.
The following are the TTPs based on the MITRE ATT&CK Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Persistence | T1112 | Modify Registry |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
| Discovery | T1007 | System Service Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1614.001 | System Location Discovery: System Language Discovery |
| Collection | T1005 | Data from Local System |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1074 | Data Staged |
| Collection | T1114 | Email Collection |
| Command and Control |
T1071 | Application Layer Protocol |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1489 | Service Stop |
| Stealth | T1014 | Rootkit |
| Stealth | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools |
| Stealth | T1036 | Masquerading |
| Stealth | T1055 | Process Injection |
| Stealth | T1070 | Indicator Removal |
| Stealth | T1134 | Access Token Manipulation |
| Stealth | T1542.003 | Pre-OS Boot: Bootkit |
| Defense Impairment | T1112 | Modify Registry |
| Defense Impairment | T1222 | File and Directory Permissions Modification |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analysis indicates the GodDamn Ransomware exhibits several characteristics that align with contemporary ransomware operations, including file encryption, victim-specific identifiers, and dedicated communication channels for ransom negotiations. The use of a unique identifier embedded within encrypted filenames enables operators to associate affected systems with specific incidents, while the deployment of a standardized ransom note provides a structured mechanism for initiating contact with victims. These features suggest an emphasis on managing victim interactions following successful encryption events.
The ransom note’s inclusion of multiple communication methods and a limited-time discount offer reflects common psychological pressure techniques observed across the ransomware ecosystem. By encouraging rapid engagement and reducing the perceived cost of early communication, threat actors attempt to influence victim decision-making during a period of operational disruption. Such tactics are frequently used to increase the likelihood of direct negotiations and maintain control over the recovery process.
Within the broader threat landscape, ransomware families employing organized extortion workflows continue to pose a significant risk to both enterprises and individual users. Even when technical sophistication varies, the operational impact of data encryption can result in business interruptions, loss of access to critical information, and recovery challenges. The presence of structured victim communication mechanisms, combined with the ability to render data inaccessible, highlights the ongoing relevance of ransomware as a persistent cybersecurity threat and reinforces the importance of layered defensive measures, continuous monitoring, and resilient backup practices.
Sigma rules:
title: Uncommon File Created In Office Startup Folder tags:
– attack.resource-development logsource:
product: windows category: file_event
detection: selection_word_paths:
– TargetFilename|contains: ‘\Microsoft\Word\STARTUP’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\STARTUP’
filter_exclude_word_ext: TargetFilename|endswith:
– ‘.docb’ # Word binary document introduced in Microsoft Office 2007
– ‘.docm’ # Word macro-enabled document; same as docx, but may contain macros and scripts
– ‘.docx’ # Word document
– ‘.dotm’ # Word macro-enabled template; same as dotx, but may contain macros and scripts
– ‘.mdb’ # MS Access DB
– ‘.mdw’ # MS Access DB
– ‘.pdf’ # PDF documents
– ‘.wll’ # Word add-in
– ‘.wwl’ # Word add-in selection_excel_paths:
– TargetFilename|contains: ‘\Microsoft\Excel\XLSTART’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\XLSTART’
filter_exclude_excel_ext: TargetFilename|endswith:
– ‘.xll’
– ‘.xls’
– ‘.xlsm’
– ‘.xlsx’
– ‘.xlt’
– ‘.xltm’
– ‘.xlw’ filter_main_office_click_to_run:
Image|contains: ‘:\Program Files\Common Files\Microsoft Shared\ClickToRun\’
Image|endswith: ‘\OfficeClickToRun.exe’ filter_main_office_apps:
Image|contains:
– ‘:\Program Files\Microsoft Office\’
– ‘:\Program Files (x86)\Microsoft Office\’ Image|endswith:
– ‘\winword.exe’
– ‘\excel.exe’
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* falsepositives:
– False positive might stem from rare extensions used by other Office utilities. level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Infostealer| Objectives: Credential Theft | Target Technology: Windows OS|
Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “VexxStealer” is in focus.
Overview of Operation VexxStealer Malware
Executive Summary
The analyzed sample was identified as VexxStealer, a malicious information-stealing threat distributed through a seemingly legitimate software installer. By masquerading as a trusted application, the threat relies on user interaction to gain initial access to a system. Once executed, it establishes persistence mechanisms that enable continued operation while remaining largely unnoticed by the victim.
Behavioral analysis indicates that the malware conducts extensive reconnaissance of the compromised environment, gathering information about the operating system, installed applications, and security controls. It also targets sensitive user data, creating a risk of unauthorized access to credentials, personal information, and other valuable digital assets. These activities suggest a clear objective of data theft and long-term access to affected systems.
The threat further demonstrates the ability to evade detection using legitimate system utilities and techniques designed to obscure its activities. By blending malicious operations with normal system behavior, it reduces the likelihood of immediate discovery and response. The combination of persistence, information gathering, and stealth capabilities highlights the potential impact of this threat on both individual users and organizational environments, reinforcing the need for strong security controls and cautious software installation practices.
Attack Method
The infection chain begins with a trojanized installer masquerading as a legitimate gaming-related application. Upon execution, the installer deploys multiple Electron-based components into the user’s profile directory and establishes shortcuts to ensure continued accessibility. The malware leverages a modular architecture, unpacking numerous resources, libraries, and Node.js modules that collectively support its malicious functionality. This approach enables the threat to appear as a normal software installation while simultaneously deploying the payload in the background.
Following installation, the malware performs extensive host reconnaissance to profile the compromised environment. It enumerates running processes, queries system information, identifies installed applications, and gathers details regarding security products present on the endpoint. The sample utilizes native Windows utilities such as WMIC, PowerShell, Command Prompt, and registry-related tools to collect information while blending its activity with legitimate administrative operations. The use of trusted system binaries reduces the likelihood of immediate detection and allows the malware to operate within normal system workflows.
Analysis also indicates the presence of credential acquisition capabilities. The malware interacts with components associated with Windows Data Protection API (DPAPI) and database libraries commonly used to access locally stored browser information. By leveraging these mechanisms, it can potentially extract authentication material, saved credentials, session tokens, and other sensitive data maintained within user applications. Additional collection activities, including clipboard monitoring and local data harvesting, suggest a broader objective of acquiring information that can be monetized or used for subsequent compromise stages.
To maintain operational effectiveness, the malware incorporates several defense-evasion and persistence techniques. Registry modifications, AutoStart mechanisms, process injection behaviors, and manipulation activities were observed during execution. The sample further attempts to identify virtualized or sandboxed environments, enabling it to alter or restrict execution when analysis conditions are detected. Network communications are initiated using standard application-layer protocols, allowing traffic to blend with normal internet activity. The combination of stealth mechanisms, system reconnaissance, credential theft, and persistence capabilities demonstrates a mature information-stealing threat designed to maximize data collection while minimizing the chances of detection.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises
| Tactic | TechniqueID | Technique Name |
| Initial Access | T1204 | User Execution |
| Execution | T1059 | Command and Scripting Interpreter |
| T1129 | Shared Modules | |
| T1574 | Hijack Execution Flow | |
| Persistence | T1547.001 | Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder |
| Privilege | T1055 | Process Injection |
| Escalation | T1134 | Access Token Manipulation |
| Stealth | T1027 | Obfuscated Files or Information |
| T1497 | Virtualization/Sandbox Evasion | |
| Credential Access | T1555 | Credentials from Password Stores |
| T1552 | Unsecured Credentials | |
| T1003 | OS Credential Dumping | |
| Discovery | T1057 | Process Discovery |
| T1082 | System Information Discovery | |
| T1518 | Software Discovery | |
| T1012 | Query Registry | |
| Collection | T1115 | Clipboard Data |
| T1005 | Data from Local System | |
| Command and control | T1071 | Application Layer Protocol |
| T1105 | Ingress Tool Transfer | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
INSIGHTS
One notable aspect of this malware is its ability to disguise itself within software that aligns with user interests, particularly applications associated with gaming and entertainment. Rather than relying on complex exploitation techniques, the threat appears to capitalize on trust and curiosity, increasing the likelihood that users will voluntarily execute the installer. This reflects a broader trend in which threat actors prioritize convincing delivery mechanisms over highly sophisticated intrusion methods.
The malware also demonstrates a strong emphasis on remaining inconspicuous after deployment. Instead of drawing attention through disruptive activity, it operates in a manner that closely resembles legitimate software behavior. This low-profile approach enables the threat to coexist with normal user activity, reducing the chances that its presence will be immediately recognized. Such behavior highlights the growing preference among cybercriminals for stealth and prolonged access rather than overt system disruption.
Another observation is the extensive use of widely available development frameworks and common software components within the malware package. By leveraging technologies that are routinely encountered in legitimate applications, threat actors can create payloads that appear less suspicious and are easier to distribute across diverse environments. This blending of malicious functionality with mainstream software ecosystems continues to blur the distinction between legitimate and malicious applications, complicating efforts to identify threats based solely on appearance or packaging.
ETLM ASSESSMENT
From an Emerging Threat Landscape Monitoring (ETLM) perspective, the continued proliferation of information-stealing malware is expected to increase the exposure of organizational identities, employee credentials, and business-related digital assets across multiple sectors. As threat actors increasingly leverage trusted software themes and familiar user experiences to facilitate infections, organizations may encounter a growing volume of compromises originating from routine employee activities rather than direct attacks against enterprise infrastructure. This trend could result in a higher frequency of account misuse, unauthorized access incidents, and data exposure events affecting both on-premises and cloud-based environments. Furthermore, the widespread availability of such threats within cybercriminal ecosystems is likely to expand the potential victim pool, making organizations of varying sizes and industries susceptible to credential-focused compromises and the operational disruptions that may follow.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule VexxStealer_Malware_Detection
{
meta:
description = “Detects VexxStealer malware and related variants using behavioral and host-based indicators”
author = “CYFIRMA” date = “2026-06-16”
malware_family = “VexxStealer” strings:
/* Electron / NodeJS Components */
$e1 = “electron.exe” nocase
$e2 = “app.asar” nocase
$e3 = “node_modules” nocase
$e4 = “package.json” nocase
/* Discovery Activities */
$disc1 = “Process Discovery”
$disc2 = “System Information Discovery”
$disc3 = “Software Discovery”
/* Windows Utilities */
$cmd1 = “powershell.exe” nocase
$cmd2 = “cmd.exe” nocase
$cmd3 = “wmic.exe” nocase
$cmd4 = “reg.exe” nocase
/* Credential Access */
$cred1 = “CryptUnprotectData”
$cred2 = “Login Data”
$cred3 = “Web Data”
$cred4 = “Cookies”
/* Defense Evasion */
$ev1 = “Virtualization/Sandbox Evasion”
$ev2 = “Obfuscated Files or Information”
$ev3 = “Process Injection”
$ev4 = “Hijack Execution Flow”
/* Registry Artifacts */
$reg1 = “CurrentVersion\\Run”
$reg2 = “Software\\Microsoft\\Windows\\CurrentVersion”
$reg3 = “Image File Execution Options”
/* Common Libraries */
$mod1 = “bcryptprimitives.dll”
$mod2 = “ws2_32.dll”
$mod3 = “crypt32.dll”
$mod4 = “advapi32.dll”
$mod5 = “wininet.dll”
/* Sample SHA256 */
$hash1 = “b21b0201a6004570e79e41f9c9deface5cdab75bad8194a416eac6dc22db98b7”
condition:
uint16(0) == 0x5A4D and (
$hash1 or (
2 of ($e*) and
2 of ($cmd*) and 2 of ($cred*)
) or
(
2 of ($ev*) and
1 of ($disc*) and
2 of ($mod*)
) or
(
2 of ($reg*) and 2 of ($cred*) and 2 of ($mod*)
)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
OceanLotus (APT32) Expanding Cyber-Espionage Operations Footprints
About the Threat Actor
OceanLotus Group is a suspected Vietnam-linked threat actor believed to operate in alignment with Vietnamese government interests. The group has remained highly active across the Asia-Pacific region and has been associated with cyber operations targeting organizations of strategic interest. Activity attributed to the threat Group has been linked to multiple notable intrusions, including attacks against a European organization’s manufacturing operations in Vietnam and a Philippine-based consumer products company. The threat actor continues to demonstrate a sustained capability to conduct intelligence-driven cyber operations in support of broader national objectives.
Details on Exploited Vulnerabilities
| CVE ID | Affected Products | CVSS Score | Exploit Links |
| CVE-2017-11882 | Microsoft Office | 7.8 | Link1 |
| CVE-2020-0688 | Microsoft Exchange software | 8.8 | Link1, Link2 |
| CVE-2016-7255 | Windows Server | 7.8 | Link1, Link2, Link3, Link4 |
| CVE-2020-14882 | Oracle WebLogic Server | 9.8 | Link1, Link2, Link3 |
| CVE-2021-40444 | Microsoft Windows | 7.8 | Link1, Link2, Link3 |
| CVE-2020-0968 | Internet Explorer | 7.5 | – |
| CVE-2021-44832 | Apache Log4j2 versions | 6.6 | – |
| CVE-2021-45105 | Apache Log4j2 versions | 5.9 | – |
| CVE-2021-22986 | BIG-IP versions and BIG-IQ | 9.8 | Link1, Link2 |
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1589 | Gather Victim Identity Information |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1598.003 |
Phishing for Information: Sp earphishing Link |
| ResourceDevelopment | T1583.001 | Acquire Infrastructure: Domains |
| ResourceDevelopment | T1583.006 | Acquire Infrastructure: Web Services |
| ResourceDevelopment | T1585.001 | Establish Accounts: Social Media Accounts |
| ResourceDevelopment | T1588.002 | Obtain Capabilities: Tool |
| ResourceDevelopment | T1608.001 | Stage Capabilities: Upload Malware |
| ResourceDevelopment | T1608.004 | Stage Capabilities: Drive-by Target |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1078.003 | Valid Accounts: Local Accounts |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1059.007 | Command and Scripting Interpreter: JavaScript |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1072 | Software Deployment Tools |
| Execution | T1569.002 | System Services: Service Execution |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1112 | Modify Registry |
| Persistence | T1137 | Office Application Startup |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Persistence | T1505.003 | Server Software Component: Web Shell |
| Persistence | T1078.003 | Valid Accounts: Local Accounts |
| Privilege Escalation | T1078.003 | Valid Accounts: Local Accounts |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Stealth | T1218.005 | System Binary Proxy Execution: Mshta |
| Stealth | T1218.010 | System Binary Proxy Execution: Regsvr32 |
| Stealth | T1218.011 | System Binary Proxy Execution: Rundll32 |
| Stealth | T1216.001 | System Script Proxy Execution: PubPrn |
| Stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| Stealth | T1027.016 | Obfuscated Files or Information: Junk Code Insertion |
| Stealth | T1036 | Masquerading |
| Stealth | T1036.003 | Masquerading: Rename Legitimate Utilities |
| Stealth | T1036.004 | Masquerading: Masquerade Task or Service |
| Stealth | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Stealth | T1027.010 | Obfuscated Files or Information: Command Obfuscation |
| Stealth | T1027.011 | Obfuscated Files or Information: Fileless Storage |
| Stealth | T1078.003 | Valid Accounts: Local Accounts |
| Stealth | T1055 | Process Injection |
| Stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1564.004 | Hide Artifacts: NTFS File Attributes |
| Stealth | T1574.001 | Hijack Execution Flow: DLL |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1070.006 | Indicator Removal: Timestomp |
| DefenseImpairment | T1685.005 | Disable or Modify Tools: Clear Windows Event Logs |
| DefenseImpairment | T1222.002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
| DefenseImpairment | T1112 | Modify Registry |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1552.002 | Unsecured Credentials: Credentials in Registry |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| Discovery | T1087.001 | Account Discovery: Local Account |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1046 | Network Service Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1018 | Remote System Discovery |
| LateralMovement | T1570 | Lateral Tool Transfer |
| LateralMovement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| LateralMovement | T1072 | Software Deployment Tools |
| LateralMovement | T1550.002 | Use Alternate Authentication Material: Pass the Hash |
| LateralMovement | T1550.003 | Use Alternate Authentication Material: Pass the Ticket |
| Collection | T1560 | Archive Collected Data |
| Collection | T1056.001 | Input Capture: Keylogging |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1071.003 | Application Layer Protocol: Mail Protocols |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1102 | Web Service |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Latest Developments Observed
The threat actor is suspected of targeting organizations across Vietnam’s infrastructure, transportation, construction, and stock investment software sectors through malware deployment and supply-chain compromise techniques leveraging SPECTRALVIPER and FireAnt Metakit malware. The campaign appears aimed at expanding the actor’s domestic targeting capabilities while continuing broader cyber espionage operations. The activity indicates a strategic effort to strengthen footholds within critical industries and facilitate long-term intelligence collection.
ETLM Insights
OceanLotus, also tracked as APT32, is a Vietnam-nexus advanced persistent threat group engaged in cyber-espionage activities aligned with strategic intelligence collection objectives. The group is consistently associated with sustained intelligence-driven operations targeting government, corporate, and strategically relevant sectors across multiple regions.
The threat actor’s operations reflect a deliberate intelligence collection model focused on maintaining persistent access to targeted environments and enabling long-term information gathering through covert and adaptive intrusion approaches.
Operational Characteristics Reflect:
Looking ahead, based on observed operational trends, OceanLotus is expected to continue refining its persistence-driven and identity-focused operational model to support evolving intelligence requirements. The group is likely to strengthen its operational resilience and maintain long-term espionage capabilities aligned with strategic objectives.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
YARA Rules
rule Exploit_Multi_CVE_Office_Exchange_WebLogic_F5
{
meta:
description = “Detection of exploitation attempts linked to multiple CVEs across Microsoft Office, Exchange, WebLogic, and F5 BIG-IP”
author = “CYFIRMA”
category = “Exploit Detection” threat_type = “Initial Access / RCE”
strings:
// CVEs
$cve1 = “CVE-2017-11882”
$cve2 = “CVE-2020-0688”
$cve3 = “CVE-2016-7255”
$cve4 = “CVE-2020-14882”
$cve5 = “CVE-2021-40444”
$cve6 = “CVE-2020-0968”
$cve7 = “CVE-2021-44832”
$cve8 = “CVE-2021-45105”
$cve9 = “CVE-2021-22986”
// Common exploited process context
$p1 = “winword.exe”
$p2 = “WinWord.exe”
$p3 = “excel.exe”
$p4 = “Excel.exe”
$p5 = “acrord32.exe”
$p6 = “AcroRd32.exe”
// Exploitation-related context strings
$s1 = “Equation Editor”
$s2 = “mshtml”
$s3 = “WebLogic”
$s4 = “Exchange”
$s5 = “BIG-IP”
$s6 = “iControl”
// Observed infrastructure indicators (optional enrichment)
$ioc1 = “ps.andreagahuvrauvin.com”
$ioc2 = “appointmentmedia.com”
$ioc3 = “hosting-wordpress-services.com”
$ioc4 = “toppaperservices.com”
$ioc5 = “webmanufacturers.com”
$ioc6 = “stablewindowsapp.com”
condition:
// Primary: any CVE indicator present any of ($cve*) or
// Secondary: exploit context via process + tech keywords (2 of ($p*) and 1 of ($s*)) or
// Tertiary: strong correlation with known malicious infrastructure + Office/PDF execution context
(1 of ($ioc*) and 1 of ($p*))
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
OpenAI disrupts two Chinese influence operations
OpenAI has warned of activities by Chinese state-sponsored actors running influence operations in an attempt to manipulate public opinion in the US regarding artificial intelligence and technology policies. OpenAI observed two main campaigns: one promoted claims that AI data centers were driving up electricity costs, while the other criticized US tariffs and spread false allegations that ChatGPT user data had been compromised. The threat actors were abusing ChatGPT itself to support these operations. OpenAI responded to these findings by immediately banning all associated accounts.
ETLM Assessment:
As noted in previous CYFIRMA reports, within a matter of just a few years, Beijing has copied and successfully used many of Russia’s information warfare techniques. But unlike Russia, the Chinese government believes it has the ability and even the mandate to turn its domestic online surveillance apparatus outward, to disrupt and, perhaps eventually, even control global narratives in real time. Past elections in Taiwan and in Asia have been a showcase of how China is changing the tone and distribution mechanisms for its influence campaigns to prey on more localized concerns and to use platforms outside of the mainstream. Nowadays, China is fulfilling predictions our analysts made that the use of generative AI will become more prevalent, complex, and effective. This trend is only to be expected to continue.
Anthropic suspends Fable and Mythos models following a US national security directive
Anthropic has suspended all customer access to its newly released Fable 5 and Mythos 5 models following a US government export control directive. The restriction, issued just days after the state-of-the-art cybersecurity models were launched, bans foreign nationals – including Anthropic’s own overseas employees from utilizing the tools. While the government did not disclose specific details regarding its national security concerns, Anthropic stated its understanding is that officials discovered a “jailbreaking” method to bypass the system’s guardrails. Anthropic noted it reviewed a demonstration of the technique, which uncovered a small number of minor, previously known vulnerabilities, but argued that other publicly available models could already identify the same issues without requiring a bypass.
ETLM Assessment:
The core national security concern stems from the risk of dual-use AI capabilities being weaponized by sophisticated state-sponsored advanced persistent threats (APTs) from countries like China and North Korea. These “Mythos-class” models possess advanced autonomous reasoning that can be leveraged to analyze complex codebases, discover critical software vulnerabilities, and rapidly construct exploits. Given that Chinese state actors are already known to run active cyber influence operations to manipulate public opinion and embed themselves in critical infrastructure in case of conflict, and groups linked to China have reportedly attempted to gain unauthorized access to these systems, the U.S. government feared a “jailbreak” would provide a strategic asymmetry. By bypassing the safety guardrails, hostile foreign nations could utilize the model to scan Western infrastructure for zero-day vulnerabilities and dramatically accelerate the scale and speed of devastating state-sponsored cyberattacks.
Dire Wolf Ransomware impacts a Manufacturing Company from Thailand
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Thailand was compromised by Dire Wolf Ransomware. The compromised company is a Thailand-based manufacturer and exporter of motorcycle drive chains, cam chains, rims, and other power transmission components. The organization is recognized globally for its expertise in motorcycle chain technology and its role as a supplier to major motorcycle manufacturers. It serves a broad customer base that includes original equipment manufacturers (OEMs) as well as aftermarket distributors and consumers across Asia and international markets. The compromised data includes Internal Documents, Financial Documents, Commercial Contract Documents, Customer Data, Tax Filing Documents, and Financial Records. The total size of compromised data is approximately 260 GB.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Dire Wolf is a newly identified ransomware group that emerged in May 2025, distinguished by its use of double-extortion tactics combining data encryption with data theft and threats of public exposure via an onion-based leak site. The group appears to operate solely for financial gains, without ideological motives. Its emergence highlights the evolving nature of ransomware threats in 2025, particularly the increased reliance on data exfiltration to amplify extortion efforts. These activities reinforce the urgent need for strong cybersecurity defenses and effective incident response strategies across all sectors.
The Gentlemen Ransomware impacts a manufacturing company from Japan
Summary: CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Japan was compromised by The Gentlemen Ransomware. The compromised company is a Kyoto-based Japanese brand specialising in handcrafted textiles such as tenugui, furoshiki, and scarves. Their products are dyed using traditional aizome (indigo) techniques with natural indigo and historical patterns. The company is dedicated to preserving centuries-old craftsmanship while blending it with contemporary design. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Veeam Backup & Replication
Relevancy & Insights:
The vulnerability exists due to improper access control in the backup server when handling requests from authenticated domain users.
Impact:
A remote user can send a specially crafted request to execute arbitrary code on the backup server.
Only domain-joined backup servers are vulnerable.
Affected Products:
https[:]//www[.]veeam[.]com/kb4869
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Veeam Backup & Replication introduces significant risks to organizations that rely on enterprise backup and recovery solutions to protect critical business data and ensure operational resilience. As Veeam Backup & Replication is widely used across enterprise environments to manage backup operations, disaster recovery processes, and data protection workflows, exploitation of this vulnerability could allow unauthorized access to sensitive backup infrastructure and compromise protected data assets. Unauthorized access to backup management systems may result in disruption of recovery operations, exposure of sensitive information, and increased risk of further compromise across interconnected environments. Organizations leveraging enterprise backup solutions must ensure timely patching, continuous monitoring, and secure access control practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and availability of critical backup systems and enterprise data protection environments.
World Leaks Ransomware attacked and published the data of a Manufacturing company from India
Summary:
Recently, we observed that World Leaks Ransomware attacked and published the data of a Manufacturing company from India on its dark web website. The Compromised company is a prominent global player in the electronics manufacturing industry, with fast-emerging capabilities in Electronics Manufacturing Services, Semiconductor Assembly and Test, Semiconductor Foundry, and Design Services. The compromised data appears to include a large volume of internal corporate information stored across multiple file repositories, totaling approximately 630 GB and more than 204,000 files. Exposed content reportedly includes confidential documents, operational and administrative records, employee-related information, and a small set of passport files. The highlighted data categories indicate the presence of sensitive business documents marked as confidential, with one repository containing hundreds of confidential files and another containing several thousand additional confidential records.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, World Leaks Ransomware represents an emerging and adaptive threat within the cybersecurity landscape, particularly due to its focus on data exfiltration, double-extortion tactics, and targeting of organizations across multiple sectors. The group leverages sophisticated intrusion techniques and publicly exposes stolen data to increase pressure on victims, amplifying both financial and reputational damage. Organizations must strengthen their cybersecurity posture by implementing robust incident response strategies, enforcing strict access controls, and enhancing employee awareness to detect phishing and social engineering attempts. Continuous monitoring, timely patch management, and proactive threat intelligence are critical to mitigating risks and defending against the evolving tactics employed by World Leaks Ransomware.
Logistics and Courier Shipment Database Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large shipment and logistics database allegedly originating from a major courier and transportation service provider operating across the Middle East and international markets. According to the forum advertisement, the dataset contains extensive shipment tracking records, package management information, and customer-related data associated with courier operations and logistics services.
The seller claims to possess approximately 261.40 GB of data comprising around 124,734,059 unique records. Based on the information provided in the forum post, the allegedly exposed dataset may contain the following information:
According to the advertisement, sample data has been provided as proof of possession, and the complete dataset is being offered for sale through an escrow-based transaction. The seller further claims that the information was obtained from internal systems associated with logistics and shipment management operations.
If verified, the exposure of such information could create significant risks for affected individuals and organizations. Cybercriminals could potentially leverage the disclosed data to conduct targeted phishing campaigns, social engineering attacks, identity theft, shipment fraud, business email compromise (BEC) schemes, customer impersonation, and supply chain reconnaissance activities. The exposure of sender and receiver information, shipment details, and contact records may also facilitate physical security risks and unauthorized tracking of commercial activities.
This incident highlights the ongoing risks associated with the unauthorized exposure of logistics and transportation databases containing sensitive customer and operational information. Organizations operating large-scale logistics networks should implement robust access controls, continuous monitoring, data encryption, privileged access management, network segmentation, and proactive threat intelligence programs to reduce the likelihood and impact of similar incidents. The protection of shipment data and customer information remains critical to maintaining operational integrity and stakeholder trust.
The authenticity of the alleged dataset remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor is assessed to be an active and capable cybercriminal entity involved primarily in data breach and leak operations. Multiple credible indicators associate the actor with incidents involving unauthorized access to organizational systems, followed by the publication, sale, or distribution of stolen data on underground forums. These activities reflect the increasing sophistication and persistence of cyber threats emerging from organized cybercriminal ecosystems, emphasizing the need for organizations to strengthen their security posture through continuous monitoring, enhanced threat intelligence capabilities, and proactive cybersecurity measures to safeguard sensitive data and critical assets.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large telecommunications subscriber database allegedly originating from a mobile and broadband service provider operating in Jordan. According to the forum advertisement, the dataset contains extensive customer account information, subscriber records, service activation details, contact information, and identity-related data associated with telecommunications services.
The seller claims that the database contains approximately 10 million records associated with 6.52 million users. Based on the information provided in the forum post, the allegedly exposed dataset may contain the following information:
According to the advertisement, sample data has been provided as proof of possession, and the complete dataset is being offered for sale. The exposed records reportedly contain a combination of subscriber identity information, account details, service-related data, and customer contact records that could be leveraged for malicious purposes if authenticated.
If verified, the exposure of such information could create significant risks for affected individuals and organizations. Cybercriminals could potentially exploit the disclosed information to conduct identity theft, SIM-swapping attacks, account takeover attempts, targeted phishing campaigns, social engineering operations, financial fraud, and unauthorized access to telecommunications services. The exposure of national identification numbers, contact information, and customer account details may further increase the risk of impersonation, credential abuse, and other forms of cyber-enabled crime.
This incident highlights the ongoing risks associated with the unauthorized exposure of telecommunications subscriber databases and customer management systems. Organizations that collect and process large volumes of customer information should implement robust access controls, encryption mechanisms, continuous monitoring, data minimization practices, privileged access management, and proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents. Protecting subscriber information remains critical for maintaining customer trust, regulatory compliance, and operational resilience.
The authenticity of the alleged dataset remains unverified at the time of reporting, as the claims are based solely on information published in a forum advertisement and have not been independently confirmed.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
