CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows
Introduction
The CYFIRMA Research and Advisory Team has found Backups Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Puld Ransomware
Puld is a ransomware variant associated with the MedusaLocker group. Upon infection, it encrypts files by adding a “.Puld39” extension and drops a ransom note titled “How_to_back_files.html,” demanding payment for decryption.
Screenshot of files encrypted by ransomware (Source: Surface Web)
The ransom note notifies victims that their company network has been breached, resulting in the encryption of all files and the theft of sensitive business data, including employee and customer information. The attackers demand payment in exchange for a decryption key and software, which are necessary to restore access to the encrypted files.
To prove their ability to decrypt the data, the attackers allow victims to submit up to two small files (under 2MB) for free decryption. Victims are given a five-day deadline to make contact and arrange payment. Failure to comply results in escalating consequences, including the permanent deletion of 24 files every 24 hours and the threat of leaking stolen data on the dark web or sharing it with other malicious actors.
The note strongly warns against any attempts to tamper with or independently recover the files, claiming it could result in irreversible loss. The attackers encourage victims to communicate via email or the TOX encrypted messaging platform for reliability.
Screenshot of Puld ransomware’s text file (“How_to_back_files.html “):(Source: Surface Web)
Following are the TTPs based on the MITRE Attack Framework
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analysis reveals that the Medusa Locker ransomware group, historically known for targeting enterprise environments, has released a new variant named Puld. Medusa Locker’s past focus on high-value enterprise targets suggests that this new strain, Puld, may similarly aim at critical sectors with significant assets globally.
Given Medusa Locker’s established enterprise focus and Puld’s evolving capabilities, this variant may pose a growing global cybersecurity threat, underscoring the urgent need for strengthened defenses across all industry sectors.
Sigma rule:
title: Suspicious Windows Service Tampering
tags:
-defense-evasion
-impact
-t1489 logsource:
category: process_creation product: windows
detection: selection_tools_img:
-OriginalFileName:
-‘net.exe’
-‘net1.exe’
-‘PowerShell.EXE’
-‘psservice.exe’
-‘pwsh.dll’
-‘sc.exe’
-Image|endswith:
-‘\net.exe’
-‘\net1.exe’
-‘\powershell.exe’
-‘\PsService.exe’
-‘\PsService64.exe’
-‘\pwsh.exe’
-‘\sc.exe’ selection_tools_cli:
-CommandLine|contains:
-‘ delete ‘
-‘ pause ‘ # Covers flags from: PsService and EXE
-‘ stop ‘ # Covers flags from: PsService.EXE, EXE and Sc.EXE
-‘Stop-Service ‘
-‘Remove-Service ‘
CommandLine|contains|all:
-‘config’
-‘start=disabled’ selection_services:
CommandLine|contains:
– ‘143Svc’
-‘Acronis VSS Provider’
-‘AcronisAgent’
-‘AcrSch2Svc’
-‘AdobeARMservice’
-‘AHS Service’
-‘Antivirus’
-‘Apache4’
-‘ARSM’
-‘aswBcc’
-‘AteraAgent’
-‘Avast Business Console Client Antivirus Service’
-‘avast! Antivirus’
-‘AVG Antivirus’
-‘avgAdminClient’
-‘AvgAdminServer’
-‘AVP1’
-‘BackupExec’
-‘bedbg’
-‘BITS’
-BrokerInfrastructure’
-‘CASLicenceServer’
-‘CASWebServer’
-‘Client Agent 60’
-‘Core Browsing Protection’
-‘Core Mail Protection’
-‘Core Scanning Server’
-‘DCAgent’
-‘dwmrcs’
-‘EhttpSr’
-‘ekrn’
-‘Enterprise Client Service’
-‘epag’
-‘EPIntegrationService’
-‘EPProtectedService’
-‘EPRedline’
-‘EPSecurityService’
-‘EPUpdateService’
-‘EraserSvc11710’
-‘EsgShKernel’
-‘ESHASRV’
-‘FA_Scheduler’
-‘FirebirdGuardianDefaultInstance’
-‘FirebirdServerDefaultInstance’
-‘FontCache3.0.0.0’
-‘HealthTLService’
-‘hmpalertsvc’
-‘HMS’
-‘HostControllerService’
-‘hvdsvc’
-‘IAStorDataMgrSvc’
-‘IBMHPS’
-‘ibmspsvc’
-‘IISAdmin’
-‘IMANSVC’
-‘IMAP4Svc’
-‘instance2’
-‘KAVFS’
-‘KAVFSGT’
-‘kavfsslp’
-‘KeyIso’
-‘klbackupdisk’
-‘klbackupflt’
-‘klflt’
-‘klhk’
-‘KLIF’
-‘klim6’
-‘klkbdflt’
-‘klmouflt’
-‘klnagent’
-‘klpd’
-‘kltap’
– ‘KSDE1.0.0’
-‘LogProcessorService’
-‘M8EndpointAgent’
-‘macmnsvc’
-‘masvc’
-‘MBAMService’|
-‘MBCloudEA’
-‘MBEndpointAgent’
-‘McAfeeDLPAgentService’
-‘McAfeeEngineService’
-‘MCAFEEEVENTPARSERSRV’
-‘McAfeeFramework’
-‘MCAFEETOMCATSRV530’
-‘McShield’
-‘McTaskManager’
-‘mfefire’
-‘mfemms’
-‘mfevto’
-‘mfevtp’
-‘mfewc’
-‘MMS’
-‘mozyprobackup’
-‘mpssvc’
-‘MSComplianceAudit’
-‘MSDTC’
-‘MsDtsServer’
-‘MSExchange’
-‘msftesq1SPROO’
-‘msftesql$PROD’
-‘msftesql$SQLEXPRESS’
-‘MSOLAP$SQL_2008’
-‘MSOLAP$SYSTEM_BGC’
-‘MSOLAP$TPS’
-‘MSOLAP$TPSAMA’
-‘MSOLAPSTPS
-‘MSOLAPSTPSAMA’
-‘mssecflt’
-‘MSSQ!I.SPROFXENGAGEMEHT’
-‘MSSQ0SHAREPOINT’
-‘MSSQ0SOPHOS’
-‘MSSQL’
-‘MSSQLFDLauncher$’
-‘MySQL’
-‘NanoServiceMain’
-‘NetMsmqActivator’
-‘NetPipeActivator’
-‘netprofm’
-‘NetTcpActivator’
-‘NetTcpPortSharing’
-‘ntrtscan’
-‘nvspwmi’
-‘ofcservice’
-‘Online Protection System’
-‘OracleClientCache80
-‘OracleDBConsole’
-‘OracleMTSRecoveryService’
-‘OracleOraDb11g_home1’
-‘OracleService’
-‘OracleVssWriter’
-‘osppsvc’
-‘PandaAetherAgent’
-‘PccNTUpd’
-‘PDVFSService’
-‘POP3Svc’
-‘postgresql-x64-4’
-‘POVFSService’
-‘PSUAService’
-‘Quick Update Service’
-‘RepairService’
-‘ReportServer’
-‘ReportServer$’
-‘RESvc’
-‘RpcEptMapper’
-‘sacsvr’
-‘SamSs’
-‘SAVAdminService’
-‘SAVService’
-‘ScSecSvc’
-‘SDRSVC’
-‘SearchExchangeTracing’
-‘sense’
-‘SentinelAgent’
-‘SentinelHelperService’
-‘SepMasterService’
-‘ShMonitor’
-‘Smcinst’
-‘SmcService’
-‘SMTPSvc’
-‘SNAC’
-‘SntpService’
-‘Sophos’
-‘SQ1SafeOLRService’
-‘SQL Backups’
-‘SQL Server’
-‘SQLAgent’
-‘SQLANYs_Sage_FAS_Fixed_Assets’
-‘SQLBrowser’
-‘SQLsafe’
-‘SQLSERVERAGENT’
-‘SQLTELEMETRY’
-‘SQLWriter’
-‘SSISTELEMETRY130’
-‘SstpSvc’
-‘storflt’
-‘svcGenericHost’
-‘swc_service’
-‘swi_filter’
-‘swi_service’
-‘swi_update’
-‘Symantec’
-‘sysmon’
-‘TeamViewer’
-‘Telemetryserver’
-‘ThreatLockerService’
-‘TMBMServer’
-‘TmCCSF’
-‘TmFilter’
-‘TMiCRCScanService’
-‘tmlisten’
-‘TMLWCSService’
-‘TmPfw’
-‘TmPreFilter’
-‘TmProxy’
-‘TMSmartRelayService’
-‘tmusa’
-‘Tomcat’
-‘Trend Micro Deep Security Manager’
-‘TrueKey’
-‘UFNet’
-‘UI0Detect’
-‘UniFi’
-‘UTODetect’
-‘vds’
-‘Veeam’
-‘VeeamDeploySvc’
-‘Veritas System Recovery’
-‘vmic’
-‘VMTools’
-‘vmvss’
-‘VSApiNt’
-‘VSS’
-‘W3Svc’
-‘wbengine’
-‘WdNisSvc’
-‘WeanClOudSve’
-‘Weems JY’
-‘WinDefend’
-‘wmms’
-‘wozyprobackup’
-‘WPFFontCache_v0400’
-‘WRSVC’
-‘TmProxy’
-‘TMSmartRelayService’
-‘tmusa’
-‘Tomcat’
-‘Trend Micro Deep Security Manager’
-‘TrueKey’
-‘UFNet’
-‘UI0Detect’
-‘UniFi’
-‘UTODetect’
-‘vds’
-‘Veeam’
-‘VeeamDeploySvc’
-‘Veritas System Recovery’
-‘vmic’
-‘VMTools’
-‘vmvss’
-‘VSApiNt’
-‘VSS’
-‘W3Svc’
-‘wbengine’
-‘WdNisSvc’
-‘WeanClOudSve’
-‘Weems JY’
-‘WinDefend’
-‘wmms’
-‘wozyprobackup’
-‘WPFFontCache_v0400’
-‘WRSVC’
-‘wsbexchange’
-‘WSearch’
-‘wscsvc’
-‘Zoolz 2 Service’ condition: all of selection_*
condition: all of selection_*
falsepositives:
– Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false
positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high
source: surface web
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
Type: Botnet| Objectives: Operational Disruption, Stealing Sensitive Information, Data Exfiltration| Target Technology: Linux OS | Target Geography: Global
CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week “Prometei” is trending.
Prometei
Researchers have identified a new variant of Prometei that signals a renewed focus on targeting Linux systems. Originally uncovered in mid-2020, it is designed to quietly infiltrate machines and exploit them for two main purposes: stealing credentials and mining cryptocurrency, particularly Monero. What makes Prometei especially dangerous is its adaptability—new features and tools are continually being added by its operators.
The latest variant includes a backdoor that enables a wide range of malicious activities, allowing threat actors to maintain control over infected systems. It also employs techniques like domain generation for command-and-control communication and self-updating mechanisms to avoid detection and ensure long-term persistence. The malware’s modular structure means it can evolve easily, posing an ongoing threat across different platforms. As cybercriminals continue to refine Prometei, it’s becoming a more versatile and persistent tool in their arsenal.
Evolution of Prometei
The Prometei botnet has steadily evolved into a more adaptable and financially motivated threat. While its early activity focused on Windows systems, the Linux variant soon followed, and by 2025, newer versions have emerged with more advanced capabilities. These recent versions continue to pursue the botnet’s original goals while adopting stronger strategies to remain active in compromised environments.
Prometei relies on various methods to spread, including password-guessing tactics and known vulnerabilities. It’s capable of moving through internal networks and staying connected to its operators through rotating domain names and self-updating functionality. These features make the botnet difficult to track or shut down, ensuring it can stay operational even when parts of its infrastructure are blocked.
Though mining cryptocurrency remains its main purpose, Prometei is also equipped to harvest credentials and deploy additional malware when needed. Built with a modular structure, the botnet operates through independent components for each task—whether infiltration, data theft, or communication—making it easier for attackers to update or swap out specific components without interrupting overall functionality.
Attack method
Prometei’s latest attack method reveals a shift in how the botnet is delivered and executed on Linux systems. The malware is distributed through a deceptively named web link ending in a “.php” extension, masking an executable file intended to infect targets.
This file isn’t tied to any specific region, allowing wide-scale distribution from a server based in Indonesia. Although the filename suggests it’s a harmless script, the reality is much more deceptive.
The latest Prometei versions, particularly those observed in 2025, are compressed using packing techniques that make them smaller and more difficult to examine. This method conceals the true nature of the file until it’s activated on a compromised system. To further complicate detection and analysis, the malware includes a hidden configuration layer that prevents standard tools from unpacking it. Only after removing this hidden layer can researchers inspect the malware properly—and even then, reattaching the configuration is necessary for it to operate as intended.
Once active, the malware quietly gathers detailed information about the infected system, such as hardware details and how long the system has been running. It then transmits this data to a remote server under the attackers’ control. These enhancements show how Prometei continues to be refined for stealth, persistence, and adaptability, reinforcing its status as a serious and evolving cyber threat.
Following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Persistence | T1543 | Create or Modify System
Process |
|
Persistence |
T1543.002 |
Create or Modify System Process: Systemd Service |
| Privilege Escalation | T1543 | Create or Modify System
Process |
|
Privilege Escalation |
T1543.002 |
Create or Modify System Process: Systemd Service |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
| Defense Evasion | T1070.006 | Indicator Removal: Timestomp |
|
Defense Evasion |
T1222 |
File and Directory Permissions Modification |
| Defense Evasion | T1564 | Hide Artifacts |
|
Defense Evasion |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1518 | Software Discovery |
|
Discovery |
T1518.001 |
Software Discovery: Security Software Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1090 | Proxy |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Command and Control | T1105 | Ingress Tool Transfer |
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that Prometei is likely to operate with greater stealth and autonomy, making it increasingly difficult for anyone to detect its presence or trace its activities. As it evolves, it may quietly degrade system performance by consuming processing power for unauthorized tasks like mining, all while remaining hidden through self-updating and domain-switching capabilities. Its continued ability to extract sensitive information without raising alarms could lead to wider compromises across interconnected platforms and services. As more systems become targets regardless of their operating environment, Prometei’s silent persistence may result in prolonged exposure, unnoticed data leaks, and system misuse that gradually erode digital trust and stability.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
YARA Rule
rule Prometei_Botnet_Indicators
{
meta:
description = “Detects Prometei Botnet-related strings (sha256, urls)” author = “CYFIRMA”
malware_family = ” Prometei ”
strings:
// SHA-256 Hashes
$sha256_1 = “d4566c778c2c35e6162a8e65bb297c3522dd481946b81baffc15bb7d7a4fe531”
$sha256_2 = “d21c878dcc169961bebda6e7712b46adf5ec3818cc9469debf1534ffa8d74fb7”
$sha256_3 = “b1d893c8a65094349f9033773a845137e9a1b4fa9b1f57bdb57755a2a2dcb708”
$sha256_4 = “87f5e41cbc5a7b3f2862fed3f9458cd083979dfce45877643ef68f4c2c48777e”
$sha256_5 = “7a027fae1d7460fc5fccaf8bed95e9b28167023efcbb410f638c5416c6af53ff”
$sha256_6 = “67279be56080b958b04a0f220c6244ea4725f34aa58cf46e5161cfa0af0a3fb0”
$sha256_7 = “656fa59c4acf841dcc3db2e91c1088daa72f99b468d035ff79d31a8f47d320ef”
$sha256_8 = “205c2a562bb393a13265c8300f5f7e46d3a1aabe057cb0b53d8df92958500867”
$sha256_9 = “cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a”
// urls
$url1 = “http://103.41.204.104/k.php”
$url2 = “http://152.36.128.18/cgi-bin/p.cgi”
condition:
any of ($sha256_*) or any of ($url*)
}
STRATEGIC:
MANAGEMENT:
TACTICAL RECOMMENDATIONS:
Key Intelligence Signals:
North Korea’s TA444 (also known as Bluenoroff, Lazarus Group) continues to evolve its tactics, with a persistent focus on targeting cryptocurrency assets and infrastructure
About the Threat Actor
Since at least 2009, the Lazarus Group and its affiliated entities have been identified as a highly sophisticated advanced persistent threat (APT) group, reportedly operating under the direction of the North Korean government, as noted by the Council on Foreign Relations (CFR). Operating under multiple aliases, the group is believed to be associated with Lab 110, a unit within the Democratic People’s Republic of Korea (DPRK) military intelligence apparatus.
Lazarus Group and its affiliates are known for their advanced capabilities in rapidly developing, modifying, and evolving malware and exploits through a dedicated malware development unit. In recent years, the group has increasingly focused its activities on targeting cryptocurrency exchanges and related financial platforms.
TA444, also known as Bluenoroff, is a distinct APT subgroup under the broader Lazarus umbrella. Active since at least 2017, TA444 is a North Korean state-sponsored threat actor primarily engaged in financially motivated cyber operations. The group’s key objectives include the monetization of cyber intrusions and the execution of global espionage campaigns, with a strong emphasis on compromising cryptocurrency firms.
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1588.004 | Obtain Capabilities: Digital Certificates |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Execution | T1059.002 | Command and Scripting Interpreter: AppleScript |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows
Command Shell |
| Execution | T1059.001 | Command and Scripting Interpreter:
PowerShell |
| Execution | T1047 | Windows Management Instrumentation |
| Persistence | T1098 | Account Manipulation |
| Persistence | T1547.001 | Boot or Logon AutoStart Execution: Registry
Run Keys / Startup Folder |
| Persistence | T1547.009 | Boot or Logon AutoStart Execution: Shortcut
Modification |
| Persistence | T1543.003 | Create or Modify System Process: Windows
Service |
| Persistence | T1543.004 | Create or Modify System Process: Launch
Daemon |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Privilege Escalation | T1134.002 | Access Token Manipulation: Create Process
with Token |
| Privilege Escalation | T1547.001 | Boot or Logon AutoStart Execution: Registry
Run Keys / Startup Folder |
| Privilege Escalation | T1547.009 | Boot or Logon AutoStart Execution: Shortcut
Modification |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows
Service |
| Privilege Escalation | T1055.001 | Process Injection: Dynamic-link Library
Injection |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or
Location |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1134.002 | Access Token Manipulation: Create Process
with Token |
| Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify System
Firewall |
| Defense Evasion | T1562.004 | Impair Defenses: Disable or Modify Tools |
| Defense Evasion | T1070.004 | Indicator Removal on Host: File Deletion |
| Defense Evasion | T1070.006 | Indicator Removal on Host: Timestomp |
| Defense Evasion | T1036.001 | Masquerading: Invalid Code Signature |
| Defense Evasion | T1542.003 | Pre-OS Boot: Bootkit |
| Defense Evasion | T1055.001 | Process Injection: Dynamic-link Library Injection |
| Defense Evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File |
| Credential Access | T1110.003 | Brute Force: Password Spraying |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1124 | System Time Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| Collection | T1560 | Archive Collected Data |
| Collection | T1560.002 | Archive Collected Data: Archive via Library |
| Collection | T1560.003 | Archive Collected Data: Archive via Custom Method |
| Collection | T1005 | Data from Local System |
| Collection | T1074.001 | Data Staged: Local Data Staging |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1115 | Clipboard Data |
| Collection | T1113 | Screen Capture |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1001.003 | Data Obfuscation: Protocol Impersonation |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| Command and Control | T1008 | Fallback Channels |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1090.002 | Proxy: External Proxy |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1102 | Web Service |
|
Exfiltration |
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1485 | Data Destruction |
| Impact | T1491.001 | Defacement: Internal Defacement |
| Impact | T1561.001 | Disk Wipe: Disk Content Wipe |
| Impact | T1561.002 | Disk Wipe: Disk Structure Wipe |
| Impact | T1496 | Resource Hijacking |
| Impact | T1657 | Financial Theft |
| Impact | T1489 | Service Stop |
| Impact | T1529 | System Shutdown/Reboot |
Latest Developments Observed
Recently, the threat actor was suspected of targeting individuals within the Web3 and cryptocurrency sectors by leveraging misleading Zoom calls that feature deep- faked representations of company executives. These calls are designed to manipulate employees into installing malware on Apple macOS devices. The initial outreach is believed to occur via external contacts on Telegram. The primary motivation behind these activities appears to be the exfiltration of sensitive information and financial gains.
ETLM Insights:
The North Korean state-sponsored threat actor Lazarus Group and its affiliated entities hold a unique position as both an advanced persistent threat (APT) and a highly sophisticated cybercriminal group. Renowned for their agility and continual evolution in tactics and techniques, these groups consistently develop novel methods to target governments, organizations, and individuals globally.
Their operations serve dual objectives: conducting cyber-espionage and executing financially motivated attacks, particularly through the theft of cryptocurrency assets. These activities are largely driven by the need to circumvent international sanctions and secure funding for North Korea’s defence programs, including missile development and nuclear technology initiatives. In addition to direct cyberattacks, the group is also known to offer Hacker-as-a-Service (HaaS) capabilities to other nation-state actors, enabling them to acquire sensitive information in exchange for financial compensation or technological support.
IOCs
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
YARA Rules
rule APT_Lazarus_DTrack_Manuscrypt
{
meta:
description = “Detects malware associated with Lazarus Group (DTrack/Manuscrypt variants)”
author = “CYFIRMA” date = “2025-06-24”
threat_group = “Lazarus Group (APT38 / TA404 / Bluenoroff)” malware_family = “DTrack, Manuscrypt”
strings:
$s1 = “dtrack_report_” ascii
$s2 = “rundll32.exe” ascii
$s3 = “regsvr32.exe” ascii
$s4 = “Kaspersky Lab” wide
$s5 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
$s6 = “SCardDlgClass” wide
$s7 = “CreateToolhelp32Snapshot” ascii
$s8 = “NtQuerySystemInformation” ascii
$s9 = “cmd.exe /c” ascii
$c2_1 = “update.microsoft-support[.]org” ascii
$c2_2 = “dtrack[.]com” ascii
$c2_3 = “172.104.” ascii |
condition:
(uint16(0) == 0x5A4D)
and (1 of ($s*) or 1 of ($c2*))
}
Strategic
Management
Tactical
Salt Typhoon breached North American telecom organizations
The Canadian Centre for Cyber Security and the U.S. FBI issued a joint bulletin warning that the Chinese state-sponsored group Salt Typhoon is targeting Canadian telecommunications, with at least one breach confirmed earlier this year. The bulletin notes, “In mid-February 2025, Salt Typhoon actors likely compromised three network devices belonging to a Canadian telecom company, exploiting CVE-2023-20198 to access configuration files and modifying at least one to establish a GRE tunnel for network traffic collection.”
It further states, “We assess that PRC cyber actors will likely continue targeting Canadian organizations, including telecom providers and their clients, for espionage over the next two years.”
Meanwhile, Viasat is the latest U.S. telecom identified as a victim of Salt Typhoon’s cyberespionage campaign. Viasat reported, “Following an investigation with a third- party cybersecurity partner, we found no evidence of customer impact from unauthorized access via a compromised device.” The company noted the incident has been remediated, with no recent activity detected, but could not disclose details of the ongoing government investigation. The campaign, which emerged last year, also targeted Verizon, AT&T, and Lumen, collecting tens of millions of phone records.
ETLM Assessment:
Last year campaigns by Volt Typhoon and Salt Typhoon have been focused on the countries surrounding the South China Sea, where China presses territorial claims on countries like the Philippines, Vietnam or Indonesia, as well as on the United States, with which China is in conflict over primacy in the region and global affairs as a whole. Guam; a US territory in the Western Pacific that is home to significant US military bases, has been especially targeted. Chinese hackers have been lately mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s
U.S. Transportation Command 20 times in a single year, while many other incursions have probably never been found. The increasingly assertive Chinese posturing likely means that Beijing’s hackers are trying to position themselves in a way that could try to paralyze
U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters. An attempt to induce societal panic in their adversary in case of conflict is an inherent part of Chinese military doctrine and targeting of telecoms could affect U.S. military operations in significant ways.
The US expects a heightened risk of Iranian cyberattacks
The U.S. Department of Homeland Security has issued a warning about an increased risk of Iranian cyberattacks following U.S. military strikes on Iran’s nuclear facilities. In a National Terrorism Advisory System Bulletin released yesterday, the ministry stated, “Pro- Iranian hacktivists are likely to conduct low-level cyberattacks against U.S. networks, and Iranian government-affiliated cyber actors may also target U.S. networks.” The bulletin noted that both hacktivists and Iranian state-linked actors often exploit poorly secured
U.S. networks and internet-connected devices for disruptive cyberattacks.
ETLM Assessment:
Amid the ongoing hot stage of the war between Israel and Iran, a parallel cyber conflict is unfolding—one that remains largely overshadowed by the spectacle of missile strikes and air raids. Yet this digital battlefield is just as strategically significant. Both nations are using cyber operations to sabotage infrastructure, disrupt military planning, and undermine financial networks. While the physical war dominates headlines so far, the cyber war may prove more enduring, with long-term impacts on critical systems and civilian life that are less visible but strongly contributing to the efforts of both nations.
Iran’s cyberattacks have yielded mixed results, often with exaggerated or fabricated impacts to heighten psychological effects. Overhyping these incidents risks amplifying the attackers’ influence. Still, individual businesses could face serious consequences and should adopt ransomware prevention measures to mitigate risks.
The Qilin Ransomware Impacts the RMZ Oil Field
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan, Nipro Medical Corporation (https[:]//nipro[.]com/), was compromised by Qilin Ransomware. Nipro Medical Corporation, headquartered in Bridgewater, is a subsidiary of Nipro Corporation, headquartered in Osaka, Japan. Nipro Corporation is a Japanese multinational company specializing in medical devices, pharmaceutical products, and pharmaceutical packaging. The company operates globally, with subsidiaries and offices in more than 56 countries worldwide. The compromised data includes financial documents, export commercial invoices, purchase orders, trial balance reports, and other confidential and sensitive information related to the organization. The total volume of the exposed data is approximately 400 GB
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and focus on speed and evasion, make it a particularly dangerous actor.
Dire Wolf Ransomware Impacts Thairung Group
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand, Thairung Group (https[:]//www[.]thairunggroup[.]co[.]th), was compromised by Dire Wolf Ransomware. Thairung Group is a comprehensive automotive and mobility solutions provider in Thailand. They span manufacturing, sales, rentals, property, hospitality, and service support. The compromised data includes the core business database, financial records, commercial contracts, sales documents, and customer information. The total volume of the exposed data is approximately 1 terabyte
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Dire Wolf is a newly identified ransomware group that emerged in May 2025, distinguished by its use of double-extortion tactics combining data encryption with data theft and threats of public exposure via an onion- based leak site. The group appears to operate solely for financial gains, without ideological motives. Its emergence highlights the evolving nature of ransomware threats in 2025, particularly the increased reliance on data exfiltration to amplify extortion efforts. These activities reinforce the urgent need for strong cybersecurity defenses and effective incident response strategies across all sectors.
Vulnerability in TeamViewer
Relevancy & Insights:
The vulnerability exists due to incorrect permission assignment for critical resource within the Remote Management features: Backup, Monitoring, and Patch Management.
Impact:
A local unprivileged user can delete arbitrary files with SYSTEM privileges by leveraging the MSI rollback mechanism and escalating privileges on the system.
Affected Products:
https[:]//www[.]teamviewer[.]com/en/resources/trust- center/security-bulletins/tv-2025-1002/?
Recommendations:
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in TeamViewer can pose significant threats to user privacy and security. This can impact various industries globally, including technology, healthcare, finance, and remote support services. Ensuring the security of TeamViewer is crucial for maintaining the integrity and protection of users’ data and systems worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding remote access, desktop sharing, and IT support operations across different geographic regions and sectors.
NightSpire Ransomware attacked and published the data of the Al Tadawi Specialty Hospital
Summary:
Recently, we observed that NightSpire Ransomware attacked and published the data of the Al Tadawi Specialty Hospital(https[:]//tadawi[.]ae/) on its dark web website. Al Tadawi Specialty Hospital is a multi-specialty healthcare provider based in Dubai, United Arab Emirates. The hospital is recognized for its integrated spectrum of healthcare services, offering comprehensive care across various specialties including gynaecology, cardiology, dermatology, pediatrics, and dentistry all under one roof. The facility emphasizes luxury, safe medical care, and patient-centered service, with a focus on providing accessible, high-quality healthcare for both adults and children. The data leak resulting from the ransomware attack includes comprehensive personal information of all doctors and staff, such as identification documents, photographs, Emirates ID, passport and visa copies, CVs, and professional certificates.
Additionally, the breach exposed the medical records of approximately 3 million patients. These records contain sensitive details including full names, nationalities, dates of birth, email addresses, home addresses, and medical histories.
Among the affected individuals, 3,700 are VIP members of Al Tadawi Specialty Hospital who use exclusive VIP cards. The compromised data set also includes thousands of medical summary reports and individual test result documents. The total size of the data compromised is approximately 1.5 TB.
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, NightSpire is a new ransomware group that emerged in early 2025, marking itself as a formidable player in the rapidly evolving ransomware landscape. Despite its recent appearance, NightSpire has already gained attention for its aggressive tactics and well-structured operations.
BEAM Technologies Japan Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a data leak related to BEAM Technologies Japan(https[:]//beam-tec[.]jp/) in an underground forum. BEAM Technologies Inc. is a Japanese startup specializing in the design and development of advanced optical semiconductor light sources, with a particular focus on Far-UVC emitters operating in the 200–230 nm wavelength range. The company’s core technology was developed in collaboration with RIKEN, one of Japan’s leading research institutes, and BEAM Technologies is officially recognized as a RIKEN-origin startup. The data leak includes confidential and sensitive information about the organization. The data leak is attributed to the threat actor “303.”
Thailand’s Cyber Police Access Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed an access sale related to Thailand’s Cyber Police in an underground forum. A threat actor has allegedly breached the internal systems of Thailand’s Technology Crime Suppression Division (TCSD) and is attempting to sell access on a dark web forum. The TCSD is a crucial unit of the Royal Thai Police, responsible for investigating a wide range of cybercrimes, including online fraud, identity theft, and illegal digital content. The division’s role in national security and digital surveillance makes this alleged breach particularly alarming, as it could compromise sensitive law enforcement data and ongoing investigations.
The seller posted screenshots purportedly showing administrative access to a “5C Center” dashboard. The images display highly sensitive information, suggesting a deep compromise of the cyber police’s operational data. The alleged breach appears to provide access to a vast database of criminal cases and citizen information. The exposure of such data could not only hamper police operations but also place victims and informants at significant risk.
The allegedly leaked data includes:
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor identified as “303” has been implicated in several data breaches, with reliable sources confirming their role in unauthorized system access and the trafficking of stolen data on dark web marketplaces. Their continued operations reflect the dynamic and persistent nature of cyber threats emerging from the dark web. These incidents emphasize the critical need for organizations to enhance their cybersecurity frameworks by adopting continuous monitoring, leveraging threat intelligence, and deploying proactive defense measures to safeguard sensitive information.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA Research team observed that a threat actor has allegedly leaked a massive trove of sensitive customer and payment data implicating several major financial, telecommunications, and technology firms across Asia. The data leak reportedly stems from a dispute over a penetration test conducted on RedDotPayment, a major Singapore-based payment gateway owned by global fintech giant PayU. The actor claims they are now selling the data after the company refused to honor a prior agreement. The breach potentially affects customers of RedDotPayment and other major companies, including Thailand’s fifth-largest bank, Krungsri (Bank of Ayudhya), the state-owned National Telecom of Thailand, and the Taiwanese online security and payment solutions firm, HiTRUST Inc.
The implicated companies are significant players in their respective markets. RedDotPayment is a critical component of the e-commerce infrastructure in Southeast Asia, processing online transactions for a vast network of merchants. The alleged involvement of Krungsri, a systemically important bank in Thailand, and National Telecom, a major Thai telecommunications provider, widens the potential impact to a large base of banking and telecom customers. Furthermore, the inclusion of HiTRUST, a company specializing in online transaction security, is particularly concerning. Given the nature of the exposed data, this incident poses a severe risk of financial fraud, identity theft, and other malicious activities targeting the affected individuals.
The leaked data samples appear to be raw transaction records containing highly sensitive personal and financial information. If the full database is as comprehensive as the samples suggest, the consequences for consumers could be severe. An analysis of the allegedly leaked information indicates it includes the following:
Source: Underground Forums
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
