CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows
Introduction
CYFIRMA Research and Advisory Team has found BQTLOCK Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
BQTLOCK Ransomware
Researchers have discovered a new ransomware strain called BQTLOCK, which surfaced in mid-July 2025. This ransomware Encrypts victims’ files, renaming them with the
.BQTLOCK extension. Infected systems are left with a ransom note titled READ_ME- NOW_2526968.txt.
Screenshot of files encrypted by ransomware (Source: Surface Web)
The rescue note claims the victim’s network has been completely compromised and all lines translated using AES- 256 and RSA- 4096 encryption. Decryption is said to be insolvable without the bushwhackers’ private key. Victims are advised that using third- party tools or backups will affect endless data loss. Communication is limited to Telegram or Twitter, with a Telegram link handed. Victims are typically granted a 48-hour window to initiate communication, failure to do so results in the ransom amount being doubled. If there is no response within seven days, the attackers assert that the decryption key will be permanently erased. The note uses urgency and fear tactics, ending with “ We’re watching. ” It offers no evidence of decryption or free train recovery, and the lack of a dark web gate suggests BQTLOCK is in an early stage of operation.
The appearance of BQTLOCK ‘s ransom note (“READ_ME-NOW_2526968.txt”) (Source: Surface Web)
The BQTLOCK ransomware site operates on the dark web as a Ransomware-as-a-Service (RaaS) platform, allowing cybercriminals to create and run their own ransomware campaigns. It offers a fully customizable interface where affiliates can choose different service tiers Starter, Professional, and Enterprise based on the level of features and support they require. The site allows users to upload custom branding, configure ransom notes, and monitor infections through a real-time dashboard. Payments and decryption transactions are conducted exclusively in Monero (XMR) to maintain anonymity. The website also includes a structured pricing system, a support channel via Telegram, and an automatic decryptor tool generation feature. Overall, the BQTLOCK website functions as a centralized hub for managing ransomware operations with a focus on ease of use, scalability, and monetization.
Screenshot of BQTLOCK ‘s Ransomware Onion Website (Source: Dark Web)
Screenshot of BQTLOCK ‘s Ransomware Telegram Channel (Source: Dark Web)
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1053 | Scheduled Task/Job |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1053 | Scheduled Task/Job |
| Persistence | T1112 | Modify Registry |
| Persistence | T1542.003 | Pre-OS Boot : Bootkit |
| Privilege Escalation | T1053 | Scheduled Task/Job |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1202 | Indirect Command Execution |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Defense Evasion | T1542.003 | Pre-OS Boot : Bootkit |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1539 | Steal Web Session Cookie |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials in Files |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Collection | T1005 | Data from Local System |
| Collection | T1114 | Email Collection |
| Collection | T1560 | Archive Collected Data |
| Command and Control |
T1071 | Application Layer Protocol |
| Impact | T1490 | Inhibit System Recovery |
| Impact | T1486 | Data Encrypted for Impact |
Relevancy and Insights:
The ransomware primarily targets Windows OS, which is utilised by enterprise in a variety of industries. Checks the USB bus: This ransomware uses USB bus checking as part of its infection strategy to identify connected USB devices such as flash drives or external storage. By scanning the USB bus, the ransomware can attempt to spread to other systems via removable media, locate additional files to encrypt, or evade detection by checking for the presence or absence of typical USB devices. This behavior is a common tactic used by malware to enhance its reach and impact.
This ransomware accessing the Windows Credential Manager to extract stored credentials, including usernames and passwords saved by the user or system. Suspicious access to the credentials history is a technique often used during the credential access phase, where the ransomware attempts to gather authentication data to escalate privileges, disable security tools, or facilitate lateral movement within the network.
Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
ETLM Assessment:
CYFIRMA’s assessment indicates that the BQTLOCK ransomware group is likely to evolve rapidly, given its current tactics and infrastructure, BQTLOCK may shift and expand into double extortion operations, and broaden its targeting which may include finance, healthcare, manufacturing and others. As the group refines its methods, including credential theft and lateral movement via USB, BQTLOCK is positioned to become a persistent and scalable global threat in the ransomware landscape.
Sigma rule:
title: Credential Manager Access By Uncommon Applications tags:
– attack.t1003
– attack.credential-access logsource:
category: file_access product: windows
definition: ‘Requirements: Microsoft-Windows-Kernel-File ETW provider’ detection:
selection: FileName|contains:
– ‘\AppData\Local\Microsoft\Credentials\’
– ‘\AppData\Roaming\Microsoft\Credentials\’
– ‘\AppData\Local\Microsoft\Vault\’
– ‘\ProgramData\Microsoft\Vault\’ filter_system_folders:
Image|startswith:
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’
– ‘C:\Windows\system32\’
– ‘C:\Windows\SysWOW64\’ condition: selection and not 1 of filter_*
falsepositives:
– Legitimate software installed by the users for example in the “AppData” directory may access these files (for any reason).
level: medium Source: Surface Web
Indicators of Compromise
Kindly refer to the IOCs section to exercise control of your security systems.
STRATEGIC RECOMMENDATION
Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments. Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.
MANAGEMENT RECOMMENDATION
A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.
TACTICAL RECOMMENDATION
Update all applications/software regularly with the latest versions and security patches alike.
Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Trojan
Objective: Redirection, Operational Disruption Target Technology: Android OS
Target Geography: Global
Active Malware of the Week
This week “Konfety” is trending.
About Malware Konfety
A newly identified variant of the Konfety Android malware has been observed masquerading as a legitimate mobile application, while lacking any of the advertised functionality. It misleads users by generating fake alerts, redirecting them to harmful websites, and initiating the installation of unsolicited applications. Using a lookalike or evil- twin strategy, it deploys multiple versions of the same app under an identical identity to evade detection. This version also features a manipulated ZIP structure, making it more difficult for security systems to analyze. The operators behind Konfety remain highly adaptive, continuously refining their techniques to stay hidden and prolong the malware’s presence on infected devices.
Attack Method
Konfety employs a deceptive distribution method by imitating the name and branding of legitimate apps, a tactic known as the “evil twin” or “decoy twin” approach. Rather than relying on official app stores, the malware is actively promoted through third-party marketplaces, which often attract users looking for free versions of paid applications or alternatives, either their devices no longer receive official support, or they are unable to use Google’s services. This strategy not only exploits user trust but also enables the malware to bypass traditional security controls, increasing the chances of successful installation.
To enhance its stealth, Konfety introduces deliberate modifications to the app’s internal structure, specifically altering its packaging format. These changes are designed to mislead analysis tools and obstruct inspection of the malware’s contents. By embedding deceptive indicators—such as encryption flags or references to unsupported compression formats—it creates hurdles for standard analysis methods. This approach enables the malware to evade automated detection and disrupts the work of analysts attempting to conduct a deeper investigation.
Technical Analysis
Konfety demonstrates a high level of sophistication aimed at evading both automated security systems and manual scrutiny. It hides its true capabilities through multiple layers of obfuscation, including loading hidden components only during runtime. These concealed elements are stored in encrypted form and only become active once the app is running, allowing it to execute its malicious functions while remaining invisible during installation.
Researchers found that some essential parts of the app’s code—like services and receivers—were missing from the visible layers but became active only after deeper inspection. This discovery helped link the malware to earlier ad fraud operations, where it quietly loaded ads and additional content without user consent. Further analysis revealed that Konfety mimics the identity of genuine apps without copying their functionality, even going as far as hiding its icon to remain unnoticed. Additionally, once the app is executed, it communicates with remote servers, redirecting users through a series of questionable websites. These redirections ultimately push more apps or prompt users to enable persistent browser notifications, all while operating discreetly. These layers of concealment underline Konfety’s evolving nature and its potential to persist in user devices undetected.
Following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name> |
| Persistence | T1624.001 | Event Triggered Execution: Broadcast Receivers |
| Defense Evasion | T1655.001 | Masquerading: Match Legitimate Name or Location |
| Defense Evasion | T1627.001 | Execution Guardrails: Geofencing |
| Defense Evasion | T1628.001 | Hide Artifacts: Suppress Application Icon |
| Defense Evasion | T1406.002 | Obfuscated Files or Information: Software Packing |
| Discovery | T1420 | File and Directory Discovery |
| Discovery | T1418 | Software Discovery |
| Discovery | T1422 | System Network Configuration Discovery |
| Discovery | T1426 | System Information Discovery |
| Command and Control | T1481.001 | Web Service: Dead Drop Resolver |
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that in the coming years, threats like Konfety are poised to evolve into more sophisticated, stealth-driven campaigns that blend seamlessly into users’ digital habits, making them harder to detect and more disruptive across personal, organizational, and broader digital ecosystems. As malware authors refine their ability to mimic legitimate apps and manipulate mobile packaging structures, these threats will increasingly bypass conventional security tools and embed themselves into daily routines—whether on personal devices, within corporate environments, or across third-party platforms. The growing reliance on unofficial app stores, combined with the demand for alternative apps in regions with limited access to official services, will further widen the malware’s reach. This trajectory suggests that the threat landscape will shift toward more context-aware, evasive, and persistent mobile threats, with campaigns like Konfety acting as early examples of how deeply malware can integrate into users’ digital lives without immediate detection.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
YARA Rule
rule Konfety_Android_Malware
{
meta:
description = “Detects Konfety Android Malware indicators” author = “CYFIRMA”
malware_family = ” Konfety”
strings:
// Package names
$pkg1 = “com.zddapps.totke”
$pkg2 = “com.herocraft.game.freemium.catchthecandy”
$pkg3 = “com.herocraft.game.yumsters.free”
$pkg4 = “com.temperament.nearme.gamecenter”
$pkg5 = “com.herocraft.game.free.medieval”
$pkg6 = “physics.physics.physics”
$pkg7 = “com.carromboard.friends.game”
// SHA256 Hashes
$sha256_1 = “0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10”
$sha256_2 = “2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce”
$sha256_3 = “eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595”
$sha256_4 = “3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025”
$sha256_5 = “6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e”
$sha256_6 = “7f8a1ae757dcce8fc869f5f50f79d12b24c6316b5498ce5117d62ebffc8c4178”
$sha256_7 = “7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d”
$sha256_8 = “9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee”
$sha256_9 = “30bc2c475d09f9e41f11bcdc9089b077cfc4982f9d411e62f53ca5d732424541”
$sha256_10 = “30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056”
$sha256_11 = “45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab”
$sha256_12 = “94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22”
$sha256_13 = “160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845”
$sha256_14 = “362d15f5f98e5ac2fbfb1333b57e6fe08cd98b2703e18341d51424f4e749fd7a”
$sha256_15 = “6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea”
$sha256_16 = “6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1”
$sha256_17 = “73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191”
$sha256_18 = “602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3”
$sha256_19 = “8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b”
$sha256_20 = “a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4”
$sha256_21 = “b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759”
$sha256_22 = “ca4ee1b33f69a2239efb4568fa0f2da9ee1b11145d12a539bb5db2ce61881023”
$sha256_23 = “d554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c”
$sha256_24 = “e61a5f23526315c249997feaa08fbf86c42e584cfd19ab070ce23e9e2ffa0023”
$sha256_25 = “ec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017”
$sha256_26 = “4d81aeb12c20131f7581ed9c00f1fdd8edb4e82ffe762959e0e32832ddf9ab7c” condition:
any of ($pkg*) or any of ($sha256*)
}
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
Salt Typhoon: China-Affiliated Advanced Persistent Threat (APT) Group
About the Threat Actor
Salt Typhoon is a highly sophisticated advanced persistent threat (APT) group believed to be operated by China’s Ministry of State Security (MSS). The group has been linked to several high-profile cyber espionage campaigns, with a strong focus on targeting U.S. intelligence agencies and exfiltrating critical corporate intellectual property. Active since at least 2020, Salt Typhoon has conducted operations across multiple nations, demonstrating a global reach and strategic intent.
The group is widely regarded as a key asset within China’s broader “100-Year Strategy,” aimed at expanding the country’s global influence and achieving technological dominance. Researchers have observed tactical, technique, and procedural (TTP) overlaps between Salt Typhoon and another known APT group, FamousSparrow, suggesting a potential operational or organizational connection. Operating with high-level resources and advanced capabilities, Salt Typhoon exhibits deep expertise in cyberespionage and other illicit cyber activities, making it a significant threat to national security and international cyber stability.
Vulnerabilities Exploited
| CVE | CVSS | Affected Products | Exploit Link |
| CVE-2023-20198 | 10.0 | Cisco IOS XE | – |
| CVE-2024-20399 | 6.7 | Cisco NX-OS | – |
| CVE-2023-20273 | 7.2 | Cisco IOS XE | – |
| CVE-2018-0171 | 9.8 | Cisco IOS Software and Cisco IOS XE | – |
| CVE-2024-21887 | 9.8 | Ivanti Connect Secure and Ivanti Policy Secure | Link |
| CVE-2023-46805 | 8.2 | Ivanti ICS and Ivanti Policy Secure | Link |
| CVE-2023-48788 | 9.8 | Fortinet FortiClient EMS | – |
| CVE-2021-26855 | 9.8 | Microsoft Exchange Server | Link1 Link 2 Link 3 Link 4 |
| CVE-2022-3236 | 9.8 | Sophos Firewall | – |
| CVE-2025-23006 | 9.8 | Sonicwall | – |
| CVE-2024-21893 | 8.2 | Ivanti Connect Secure and Ivanti Policy Secure | – |
| CVE-2024-21888 | 8.8 | Ivanti Connect Secure and Ivanti | – |
| Policy Secure | |||
| CVE-2021-26858 | 7.8 | Microsoft Exchange Server | – |
| CVE-2021-27065 | 7.8 | Microsoft Exchange Server | Link 1 Link 2 |
| CVE-2021-26857 | 7.8 | Microsoft Exchange Server | – |
TTPs based on MITRE ATT&CK Framework
| MITRE ATT&CK Tactics and Techniques | ||
| Tactics | ID | Technique |
| Reconnaissance | T1590.004 | Gather Victim Network Information: Network Topology |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1588.002 | Obtain Capabilities: Tool |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Persistence | T1098.004 | Account Manipulation: SSH Authorized Keys |
| Persistence | T1136 | Create Account |
| Privilege Escalation | T1098.004 | Account Manipulation: SSH Authorized Keys |
| Defense Evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall |
| Defense Evasion | T1070.002 | Indicator Removal: Clear Linux or Mac System Logs |
| Credential Access | T1110.002 | Brute Force: Password Cracking |
| Credential Access | T1040 | Network Sniffing |
| Discovery | T1040 | Network Sniffing |
| Lateral Movement | T1021.004 | Remote Services: SSH |
| Collection | T1602.002 | Data from Configuration Repository: Network Device Configuration Dump |
| Command and Control | T1572 | Protocol Tunneling |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Latest Developments Observed
Salt Typhoon is suspected of targeting and compromising the network of a U.S. state’s Army National Guard, with the apparent objective of exfiltrating sensitive military information and expanding access to networks in other U.S. states and at least four territories. To gain initial access, the actor is believed to have exploited multiple known Common Vulnerabilities and Exposures (CVEs), while using a variety of leased IP addresses to conceal the true origin of their activities and evade detection.
ETLM Insights
Emerging threat groups such as Volt Typhoon, Salt Typhoon, and Silk Typhoon are widely suspected to be spinoffs or the next generation of the well-known threat actor MISSION2025, also known as APT41. Similar to APT41, these actors are believed to be operating under the direction of the People’s Liberation Army’s (PLA) intelligence units, executing clearly defined objectives and mission-driven cyber operations. Their structured approach and alignment with state-sponsored goals highlight the continued evolution and strategic focus of nation-state cyber capabilities.
The threat actor continues to pose significant challenges to investigators by actively disabling or manipulating logging mechanisms and selectively removing log entries that could reveal their presence. Their retrospective log tampering, often conducted shortly after public disclosures of their operations, underscores a high level of operational vigilance and adaptability.
Overall, the operational behavior of the threat actor is highly sophisticated and evasive, underscoring the group’s technical capabilities and strategic intent to remain undetected over extended periods.
To mitigate such threats, organizations must maintain continuous visibility not only at the operating system level but also ensure comprehensive patching, maintenance, and monitoring of all infrastructure appliances that support critical network operations.
Proactive defense measures are essential to detect and respond to such sophisticated YARaAdRveurlseasrial activities.
Yara rule
APT_Salt_Typhoon_Generic_Backdoor
{
meta:
author = “CYFIRMA”
description = “Detects generic traits of Salt Typhoon APT malware and related tools” threat_actor = “Salt Typhoon”
date = “2025-07-18”
confidence = “Medium” strings:
// Common payload and loader indicators
$str1 = “POST /favicon.ico” wide ascii
$str2 = “cmd.exe /c whoami” wide
$str3 = “runas /user:” wide
$str4 = “shellcode” ascii
$str5 = “cmd /c powershell -enc” wide
$str6 = “plugx.dll” ascii nocase
$str7 = “ShadowPad” ascii nocase
$str8 = “rc4_encrypt” ascii nocase
$str9 = “ChinaChopper” ascii nocase
$str10 = “C:\\Users\\Public\\Videos\\svchost.exe” ascii condition:
5 of ($str*)
}
Recommendations Strategic Recommendations
Management Recommendations
Tactical Recommendations
Quad Countries Discussing Submarine Cable Security
The Quad nations comprising the United States, Australia, Japan, and India have held discussions on securing and expanding underwater communication cables in response to growing threats of sabotage and cyberattacks, according to a statement from the U.S. Embassy in India. Government representatives and industry leaders from the four countries convened in New Delhi to explore ways to safeguard and strengthen India’s submarine cable infrastructure. Discussions focused on regulatory reforms, as well as boosting maintenance and repair capabilities. Submarine cables are vital to global connectivity and economic development, carrying the majority of the world’s internet traffic. India alone handles nearly 20% of global data flow. In a recent meeting, Quad foreign ministers identified the security of submarine cables as a key area for
collaboration, the U.S. State Department said.
ETLM Assessment:
CYFIRMA has outlined in a report last year, besides physical threats, there’s always the risk of cyber or network attacks. By hacking into the network management systems that private companies use to manage data traffic passing through the cables, malicious actors could disrupt data flows. A “nightmare scenario” would involve a hacker gaining control, or administrative rights, of a network management system: at that point, physical vulnerabilities could be discovered, disrupting or diverting data traffic, or even executing a “kill click” (deleting the wavelengths used to transmit data). The potential for sabotage or espionage is quite clear – and according to reports, the security of many of the network management systems is not up to date. The well- publicized attacks on critical infrastructure like SolarWinds and Colonial Pipeline cyberattacks also exposed the cyber vulnerabilities of the U.S. private sector with dramatic implications for national security.
Lynx Ransomware Impacts the RICHARD MILLE ASIA PTE. LTD & D’LEAGUE PTE. LTD.
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Singapore, RICHARD MILLE ASIA PTE. LTD & D’LEAGUE PTE. LTD. (https[:]//www[.]richardmille[.]com/) was compromised by Lynx Ransomware. Richard Mille Asia Pte. Ltd. is a company with its principal activity being retail sale of watches and clocks. D’League Pte Ltd is a Singapore-based company. It is involved in wholesale trade, specifically dealing in clothing and clothing accessories, and retail sale of watches and clocks. The compromised data includes banking and financial records, as well as other confidential and sensitive information related to the organization.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Lynx ransomware has emerged as a significant threat in the cybersecurity landscape, leveraging advanced encryption and double extortion tactics to target small and medium-sized businesses. Its structured affiliate program and versatile ransomware toolkit make it a formidable force in the RaaS ecosystem.
DevMan ransomware impacts the Ministry of Labour of Thailand
Summary: From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand, the Ministry of Labour of Thailand (https[:]//www[.]mol[.]go[.]th/), was compromised by DevMan ransomware. The Ministry of Labour is a critical government body in Thailand, responsible for overseeing labour relations, social security, and employment services for the nation’s workforce. The DevMan ransomware group claims to have exfiltrated 300GB of sensitive data and is demanding a ransom of $15 million.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, DevMan ransomware is a sophisticated, evolving threat built on established ransomware codebases but with unique features and flaws. It exemplifies the growing ransomware-as-a-service trend, posing significant risks to Windows environments, especially in Asia and Africa.
Vulnerability in Nginx Cache Purge Preload plugin for WordPress
Relevancy & Insights:
This is due to insufficient sanitization of the $_SERVER[‘HTTP_REFERERER’] parameter passed from the ‘nppp_handle_fastcgi_cache_actions_admin_bar’ function.
Impact:
This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Affected Products:
https[:]//www[.]wordfence[.]com/threat-intel/vulnerabilities/id/bbe8c101- 5e0a-4ba7-8ff7-4c8ed01e9ef5?source=cve
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in the Nginx Cache Purge Preload plugin for WordPress can pose significant threats to user privacy and security. This can impact various industries globally, including media, e-commerce, education, and beyond. Ensuring the security of the Nginx Cache Purge Preload plugin is crucial for maintaining the integrity and performance of websites worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding cache management operations, ensuring reliable content delivery, and preventing unauthorized access or disruptions across different geographic regions and sectors.
Crypto24 Ransomware attacked and published the data of Tan Chong Motor Holdings Berhad
Summary:
Recently, we observed that Crypto24 Ransomware attacked and published the data of the Tan Chong Motor Holdings Berhad (https[:]//www[.]tanchonggroup[.]com/) on its dark web website. Tan Chong Motor Holdings Berhad (TCMH) is a leading Malaysia- based multinational corporation specializing in the assembly, manufacturing, distribution, and sales of motor vehicles. Recognized as one of Southeast Asia’s prominent automotive conglomerates, TCMH drives growth and operational resilience through its expansive regional assembly network, strategic alliances with global automotive brands, and a diversified portfolio encompassing automotive and mobility services. The ransomware attack has resulted in a significant data leak involving approximately 300GB of sensitive information. The compromised data includes comprehensive customer databases from various Tan Chong systems (such as NAV, BRASSTAX, VTS, CRM, and E-INVOICE), as well as legal and HR documents, financial and employee records, and contractual agreements with both partners and customers.
Source: Dark Web
Relevancy & Insights:
Crypto24 is a ransomware variant that emerged in mid-2024 and became notable for its aggressive, rapid attacks and use of the classic double-extortion technique.
Crypto24 operates a Ransomware-as-a-Service (RaaS) platform, inviting affiliates to spread the malware in exchange for a share of the profits. It promises fast monetary return for affiliates, with most attacks executed and payloads delivered in under six hours from initial compromise.
ETLM Assessment:
According to CYFIRMA’s assessment, Crypto24 is a high-profile ransomware group known for rapid, high-volume data theft, fast encryption, and aggressive pressure tactics that combine classic ransom demands with sensitive data leaks. Organizations in Asia have been primary targets, with attacks resulting in the exfiltration and exposure of terabytes of sensitive information. Recovery without payment is rarely feasible, underscoring the need for robust defense and backup strategies.
Indonesian Paint Giant Indaco Data Advertised on a Leak Site
Summary: The CYFIRMA Research team observed a data leak related to Indonesian Paint Giant Indaco (https[:]//www[.]indaco[.]id/) in an underground forum. Indaco is one of Indonesia’s largest and fastest-growing paint manufacturers. A threat actor “N1KA” has announced on a dark web forum that they have exfiltrated and leaked sensitive documents from a company renowned for its “Green” branding. The attacker asserts that the leaked data includes confidential and critical information sourced from the company’s internal systems.
The threat actor alleges to have published a total of approximately 3.5 GB of data. The compromised information reportedly includes highly sensitive corporate files. The actor specifically highlighted the contents of the leak, which allegedly contain:
Source: Underground Forums
Binghatti Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed that a threat actor has allegedly put a vast trove of data belonging to Binghatti, a major real estate development company headquartered in Dubai, United Arab Emirates, up for sale on a hacking forum. Binghatti is a prominent player in the UAE’s property market, known for its extensive portfolio of residential and commercial projects. The alleged breach exposes the sensitive personal and financial information of its international clientele, raising significant concerns about privacy and security.
The seller claims the data was exfiltrated from a sales manager’s account and includes a wide array of highly confidential information. To substantiate their claims, the threat actor shared several sample files, including screenshots of reservation agreements, customer passports, bank transfer confirmations, and property floor plans. The post on the forum advertises the following types of data for sale:
The dataset, which reportedly includes a file with over 350 customer records and hundreds of individual documents files, poses a severe risk to the individuals affected. The threat actor explicitly highlighted the data’s potential use for malicious activities, including investment fraud and other scams. The exposure of such detailed personal and financial data could lead to targeted financial fraud, identity theft, and sophisticated phishing campaigns against Binghatti’s customers.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor identified as “N1KA” has recently gained attention as a highly active group specializing in data leaks. Reliable sources have connected the group to multiple security breaches involving unauthorized system access and the attempted sale of exfiltrated data on dark web marketplaces. N1KA’s ongoing operations highlight the evolving and persistent nature of cyber threats emerging from underground forums. These incidents underscore the critical importance for organizations to strengthen their cybersecurity posture through continuous monitoring, advanced threat intelligence, and proactive defense strategies to protect sensitive data and infrastructure.
Recommendations: Enhance the cybersecurity posture by
The CYFIRMA Research team observed that a threat actor operating under the alias “DocAgent101” has posted a listing on a dark web forum, offering alleged unauthorized remote access to an Indian pharmaceutical company. The access reportedly includes VPN and RDP entry with local user privileges, potentially exposing a network of more than 600 systems. The actor is auctioning the access, starting at $4,000.
Victim Details:
Threat Actor & Claim:
Pricing (Auction Format):
Source: Underground forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
