Self Assessment

Weekly Intelligence Report – 3 July 2025

Published On : 2025-07-03
Share :
Weekly Intelligence Report – 3 July 2025

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows
Target Countries: Japan, USA, Germany
Target Industry: Financial Services, Employment Services, Media

Introduction
CYFIRMA Research and Advisory Team has found KaWaLocker Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

KaWaLocker Ransomware
Researchers have recently uncovered a new ransomware variant dubbed KaWaLocker, once infiltrated into a victim’s system, KaWaLocker quickly encrypts various file types and appends a randomly generated character string to each filename, making it difficult to identify or recover the original files. In affected directory, the ransomware drops a ransom note titled “!!Restore-My-file-Kavva.txt”, providing instructions on steps to be followed for ransom payment and gaining access to the data.

Screenshot of files encrypted by ransomware (Source: Surface Web)

The ransom note informs victims that their network has been compromised and files encrypted. It states that sensitive data such as manufacturing details, service credentials, customer and employee information, and financial records have been exfiltrated. Victims are threatened with data leaks on the dark web if demands are not met and warned that modifying the locked files or using third-party decryption tools can render them undecryptable. The ransom note cautions them against reaching out to law enforcement agencies.

The appearance of KaWaLocker’s ransom note (““!!Restore-My-file-Kavva.txt “) (Source: Surface Web)

Screenshot of KaWaLocker’s Tor network website (Source: Surface Web)

Targeted countries by Ransomware

Following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

  • The ransomware targeted Windows OS predominantly used by organizations across industries.
  • calls-wmi: The ransomware uses Windows Management Instrumentation (WMI), a powerful feature that allows scripts or malware to gather system information, manage processes, or execute commands stealthily, often used to evade detection or perform reconnaissance.
  • Detect-debug-environment: This shows that the ransomware checks whether it’s running in a debug or virtualized environment, a common anti-analysis tactic used to evade sandboxes or security researchers by terminating or altering behavior when such conditions are detected.
  • The ransomware terminates processes such as exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to delete Volume Shadow Copies, which are used by Windows for backup and restore. By removing these shadow copies, the malware ensures that victims cannot recover their files via system restore points or backup utilities.

ETLM Assessment:

CYFIRMA’s analysis of KaWaLocker, based on available data, indicates that it is emerging as a significant ransomware threat, particularly to high-value sectors such as Financial Services, Employment Services, Media, and other data-sensitive industries. While current activity has been observed in Japan, the United States, and Germany, its targeting behavior suggests likely expansion into additional regions especially those with critical infrastructure and valuable data assets. KaWaLocker’s deployment of both encryption and data exfiltration aligns with the growing trend of dual-impact extortion campaigns. Organizations in vital sectors are advised to enhance their cybersecurity readiness.

Sigma rule:

title: Shadow Copies Deletion Using Operating Systems Utilities
tags:
-defense-evasion
-impact
-t1070
-attack.t1490
logsource:
category: process_creation
product: windows

selection1_img:
-Image|endswith:
-‘\powershell.exe’
-‘\pwsh.exe’
-‘\wmic.exe’
-‘\vssadmin.exe’
-‘\diskshadow.exe’
OriginalFileName:
-‘PowerShell.EXE’
-‘pwsh.dll’
-‘wmic.exe’
-‘VSSADMIN.EXE’
-‘diskshadow.exe’
selection1_cli:
CommandLine|contains|all:
-‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
-‘delete’
selection2_img:
-Image|endswith: ‘\wbadmin.exe’
-OriginalFileName: ‘WBADMIN.EXE’
selection2_cli:
CommandLine|contains|all:
-‘delete’
-‘catalog’
-‘quiet’ # will match -quiet or /quiet selection3_img:
-Image|endswith: ‘\vssadmin.exe’
-OriginalFileName: ‘VSSADMIN.EXE’
selection3_cli:
CommandLine|contains|all:
-‘resize’
‘shadowstorage’
CommandLine|contains:
‘unbounded’
‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
-CommandLine
-ParentCommandLine
falsepositives:
-Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
-LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems.

STRATEGIC RECOMMENDATION:

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION:

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION:

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information Stealer| Objectives: Stealing Sensitive Information, Data Exfiltration| Threat Actor: UAC-0226| Target Technologies: Windows OS, Browsers | Target Geography: Ukraine | Target Industries: Military, Law Enforcement Agencies, Government

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “GIFTEDCROOK” is trending.

About Malware GIFTEDCROOK

Researchers have identified that the cyber-espionage group UAC-0226 has significantly advanced its operations by evolving its malware, GIFTEDCROOK, from a simple browser- focused infostealer into a sophisticated intelligence-gathering tool. Developed in C/C++, GIFTEDCROOK is distributed through deceptive emails containing malicious Excel attachments. The latest versions are equipped with advanced evasion techniques to bypass traditional security measures without detection. Once executed, the malware rapidly extracts sensitive information, including credentials, browser sessions, cookies, and remote desktop configurations. This progression has positioned GIFTEDCROOK as a notable threat in recent campaigns, highlighting the increasing precision and complexity of modern cyber-espionage operations.

About Threat Actor UAC-0226

UAC-0226 is an espionage-focused threat group that targets Ukraine’s military and government sectors through tailored phishing campaigns, often using weaponized Excel files as initial entry points. UAC-0226 relies on two custom components: a reverse shell built on the .NET framework that incorporates adapted PowerShell scripts from publicly available code, and GIFTEDCROOK, a malware strain that captures sensitive browser information. This data is packaged using PowerShell scripts and discreetly sent through Telegram. To enhance delivery and evade detection, the group frequently hijacks legitimate webmail accounts, a tactic that underscores the value of closely monitoring email infrastructure. Despite using tools with modest technical complexity, UAC-0226 demonstrates a sharp focus on espionage goals, aligning with activity commonly attributed to nation-backed operations.

Attack Method Leveraged

The GIFTEDCROOK malware campaign begins with a targeted spear-phishing approach. Attackers send deceptive emails that appear to originate from legitimate locations within Ukraine, specifically spoofed to resemble official communications from Ukrainian-controlled cities. These emails often contain malicious PDF attachments disguised as urgent notices—often related to military obligations—prompting recipients to follow embedded links.

The links lead to a well-known cloud storage platform, where victims are tricked into downloading a malicious document. The document is designed to mislead the recipient into manually enabling macros by displaying distorted or unreadable content, creating a false impression that activation is necessary to view the information properly. Once macros are enabled, the document triggers the execution of a hidden malware payload.

The implant silently scans the system for files based on specific criteria such as type, size, and date of modification. It collects a wide range of sensitive data, including documents, spreadsheets, images, VPN configurations, and browser credentials from Chrome, Edge, and Firefox. The harvested files are compressed, encrypted, and split if needed before being exfiltrated via private Telegram channels. Finally, the malware erases itself from the system to eliminate forensic traces, ensuring the operation remains undetected.

Following are the TTPs based on the MITRE Attack Framework

Tactic Technique ID Technique Name
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1203 Exploitation for Client Execution
Persistence T1542.003 Pre-OS Boot: Bootkit
Privilege Escalation T1055 Process Injection
Defense Evasion T1014 Rootkit
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1542.003 Pre-OS Boot: Bootkit
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1564.003 Hide Artifacts: Hidden Window
Credential Access T1003 OS Credential Dumping
Discovery T1012 Query Registry
Discovery T1082 System Information Discovery
 

Command and Control

 

T1071

 

Application Layer Protocol

 

Command and Control

 

T1095

 

Non-Application Layer Protocol

 

Command and Control

 

T1573

 

Encrypted Channel

Impact T1485 Data Destruction
Impact T1496 Resource Hijacking


INSIGHTS:

  • GIFTEDCROOK stands out not only for its technical evolution but also for the strategic intent behind its Unlike opportunistic malware that casts a wide net, this infostealer is used in highly focused campaigns, indicating a deep level of reconnaissance before execution. The precision of its targeting—particularly during sensitive geopolitical developments—suggests a calculated effort to extract context-specific intelligence rather than broad-spectrum data theft. The timing of its updates, aligned with political events, reflects an operation closely integrated with real-world conflict dynamics.
  • What also distinguishes GIFTEDCROOK is the attacker’s understanding of both the environment and human behavior. The malware’s delivery depends heavily on psychological manipulation through believable baits that exploit crucial or commanding themes. By using documents that reference military obligations or policy changes, the attackers tap into anxieties that compel victims to act quickly, often without verifying authenticity. This layered social engineering, supported by realistic formatting and official tone, shows an investment in crafting scenarios that lower the victim’s
  • Additional prominent aspect is the systematic nature of the exfiltration The malware is designed not just to collect data but to organize and transfer it in a way that reflects operational discipline. By compressing, encrypting, and silently dispatching data through anonymized communication channels, the actors ensure both security and efficiency in their theft. The inclusion of a self-deletion mechanism further indicates an awareness of investigative procedures, helping the malware erase its tracks before analysts can respond. Such attention to operational hygiene reflects a level of maturity rarely seen in conventional cybercrime tools.

ETLM ASSESSMENT

From the ETLM perspective, CYFIRMA anticipates that as cyber-espionage malware like GIFTEDCROOK continue to evolve, their impact is poised to extend far beyond targeted organizations—reshaping digital trust, geopolitical dynamics, and everyday online interactions. As these attacks increasingly mimic official formats and exploit widely used platforms for delivery, users across society may grow more skeptical of routine online communications, including government notices, service updates, or shared documents. This erosion of trust could lead to slower digital adoption in critical sectors or reduce the effectiveness of genuine public outreach efforts. Additionally, we may see geopolitical tensions more frequently mirrored in cyberspace, where malware like GIFTEDCROOK becomes a tool for silent influence. Cyber operations could evolve into a preferred method for shaping narratives, gathering leverage, or destabilizing environments—without overt military engagement. These quieter, persistent digital intrusions could become standard features in international disputes, creating long-term uncertainty in both regional and global affairs. Finally, the continued success of these operations may prompt a shift in how public cloud services, file-sharing platforms, and communication tools are viewed. As threat actors abuse these trusted services to stage and deliver malicious content, there could be growing pressure on platform providers to implement stricter content validation or access controls, potentially reshaping how the internet functions for everyday users.

IOCs:

Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rule

rule GIFTEDCROOK_Infostealer
{meta:
description = “Detects GIFTEDCROOK Infostealer based on known strings and behaviors”
author = “CYFIRMA” date = “2025-07-01”
malware_family = “GIFTEDCROOK” threat_type = “Infostealer”
reference = “Internal Analysis / OSINT” strings:
$s1 = “GIFTEDCROOK” wide ascii
$s2 = “Crypto Wallets Found:” ascii
$s3 = “Collected browser credentials” ascii
$s4 = “Discord Token Grabber” ascii
$s5 = “System Information Collected” ascii
$s6 = “https://api.ipify.org” ascii
$s7 = “AppData\\Local\\Temp\\giftedcrook” wide
$s8 = “Mozilla\\Firefox\\Profiles” wide
$s9 = “Chrome\\User Data\\Default\\Login Data” wide condition:
uint16(0) == 0x5A4D and
(1 of ($s*) or all of ($s1, $s2, $s3))
}

Recommendations:

STRATEGIC:

  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

Management:

  • Security Awareness training should be mandated for all company The training should ensure that employees:
    • Avoid downloading and executing files from unverified
    • Inspect file Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Yara rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.

CYFIRMA’s WEEKLY INSIGHTS [NEW]

1.   Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains,
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Qilin Ransomware, Lynx Ransomware| Malware – GIFTEDCROOK
  • Qilin Ransomware– One of the ransomware
  • Lynx Ransomware– One of the ransomware
    Please refer to the trending malware advisory for details on the following:
  •  Malware – GIFTEDCROOK
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

1.   Threat Actor in Focus

Tracking Educated Manticore: Alias of Charming Kitten/APT35

  • Threat Actor: Educated Manticore aka (Charming Kitten, APT35, Mint Sandstorm)
  • Attack Type: Spear Phishing, Malware Deployment, Credential Harvesting, Domain Masquerading
  • Objective: Espionage, Information Theft
  • Target Technology: Web Browsers, Office Suites Software, Operating Systems, Web Applications
  • Target Geography: Afghanistan, Belgium, Brazil, Canada, Egypt, France, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, United Arab Emirates, United Kingdom, United States, Venezuela, Western Sahara, Gaza, Yemen
  • Target Industries: Defense, Education, Energy, Financial, Government, Healthcare, IT, Manufacturing, Media, NGOs, Oil and gas, Technology, Telecommunications, Investment Trusts (REITs), Media, NGO, Real Estate, Restaurants & Leisure, Technology, Telecommunications
  • Business Impact: Data Theft, System Compromise, Operational Disruption, Reputational damage

About the Threat Actor

Educated Manticore, also known as Charming Kitten, APT35, or Mint Sandstorm, is an Iranian state-sponsored threat actor active since at least 2014 and continuing operations through 2025. Researchers classified the group as a nation-state-based advanced persistent threat in December 2017, despite its lack of sophistication. It maintains close affiliations with Iran’s Islamic Revolutionary Guard Corps (IRGC) and demonstrates infrastructure and tactical overlaps with other Iranian threat clusters, including Rocket Kitten, Newscaster, NewsBeef, ITG18, and APT42.

Following are the TTPs based on the MITRE Attack Framework

Latest Developments Observed

The threat actor is suspected of carrying out spear-phishing campaigns targeting Israeli journalists, prominent cyber security experts, and computer science professors from leading Israeli universities. Posing as fictitious assistants to technology executives or researchers, the threat actors are leveraging platforms such as Google emails/meet and WhatsApp messages. The motive appears to be credential harvesting, specifically capturing passwords and two-factor authentication (2FA) codes, and gaining unauthorized access to the victims’ accounts for espionage activities.

ETLM Insights

The threat actor and its affiliates are believed to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), a highly influential entity that plays a central role in the country’s internal security, economic interests, and projection of power. The IRGC operates under the direct authority of Iran’s Supreme Leader.

This threat group primarily engages in cyberattacks and espionage operations targeting entities perceived as adversaries of Iran, executing highly targeted and strategic campaigns globally. Notably, the group is known to share its infrastructure with other domestic and international threat actors, indicating a collaborative approach aimed at amplifying the reach and impact of its operations.

Over time, the group has significantly advanced its tactics, techniques, and procedures (TTPs), positioning itself as one of the most prominent cyber threat entities within Iran. Its operations often involve multi-stage payloads and prolonged attack chains designed to evade detection, leveraging obfuscation and disguise to maintain persistence within compromised environments.

IOCs

Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

YARA Rules

rule EducatedManticore_CharmingKitten_Generic
{
meta:
description = “Detects malware or artifacts linked to Educated Manticore / Charming Kitten (APT35)”
author = “CYFIRMA” date = “2025-07-01”
actor = “Educated Manticore / Charming Kitten / APT35” strings:

$s1 = “powershell -nop -w hidden -enc” ascii

$s2 = “System.Net.WebClient” ascii

$s3 = “Invoke-WebRequest” ascii

$s4 = “C:\\Users\\Public\\Documents\\BellaCiao.ps1” wide

$s5 = “New Document.docm” ascii

$s6 = “APT35_Phishing_Kitten” ascii

$s7 = “IranianHackers2020″ ascii wide condition:

uint16(0) == 0x5A4D and 3 of ($s*)

}

rule EducatedManticore_NetworkInfrastructure_Detection

{

meta:

description = ” Detects network infrastructure artifacts associated with Charming Kitten (APT35/Mint Sandstorm) operations ”

author = “CYFIRMA” date = “2025-07-01”

threat_actor = “Educated Manticore / Charming Kitten / APT35 / Mint Sandstorm”

confidence = “High”
strings:

// IP addresses

$ip1 = “185.130.226.71”

$ip2 = “45.12.2.158”

$ip3 = “45.143.166.230”

$ip4 = “91.222.173.141”

$ip5 = “194.11.226.9”

$ip6 = “195.66.213.132”

$ip7 = “146.19.254.238”

$ip8 = “194.11.226.29”

$ip9 = “194.11.226.46”

$ip10 = “194.61.120.185”

$ip11 = “2.56.126.230”

$ip12 = “194.11.226.5”

// Domains

$d1 = “conn-ectionor.cfd”

$d2 = “optio-nalynk.online”

$d3 = “ques-tion-ing.xyz”

$d4 = “sendly-ink.shop”

$d5 = “shaer-likn.store”

$d6 = “alison624.online”

$d7 = “bestshopu.online”

$d8 = “black-friday-store.online”

$d9 = “idea-home.online”

$d10 = “book-handwrite.online”

$d11 = “world-shop.online”

$d12 = “lenan-rex.online”

$d13 = “first-course.online”

$d14 = “reading-course.online”

$d15 = “make-house.online”

$d16 = “est5090.online”

$d17 = “zra-roll.online”

$d18 = “tomas-company.online”

$d19 = “clame-rade.online”

$d20 = “dmn-for-hall.online”

$d21 = “word-course.online”

$d22 = “clothes-show.online”

$d23 = “expressmarket.online”

$d24 = “loads-ideas.online”

$d25 = “sky-writer.online”

$d26 = “becker624.online”

$d27 = “adams-cooling.online”

$d28 = “stadium-fresh.online”

$d29 = “royalsoul.online”

$d30 = “live-message.online”

$d31 = “teammate-live.online”

$d32 = “wood-house.online”

$d33 = “ude-final.online”

$d34 = “city-splash.online”

$d35 = “door-black-meter.online”

$d36 = “prt-max.online”

$d37 = “albert-company.online”

$d38 = “human-fly900.online”

$d39 = “dmn-for-car.online”

$d40 = “good-student.online”

$d41 = “goods-companies.online”

$d42 = “pnl-worth.online”

$d43 = “ricardo-mell.online”

$d44 = “live-coaching.online”

$d45 = “wer-d.info”

$d46 = “spring-club.info”

$d47 = “all-for-city.info”

$d48 = “beta-man.info”

$d49 = “amg-car-ger.info”

$d50 = “cc-newton.info”

$d51 = “steve-brown.info”

$d52 = “connect-room.online”

$d53 = “live-gml.online”

$d54 = “roland-cc.online”

$d55 = “exir-juice.online”

$d56 = “yamal-group.online”

$d57 = “live-conn.online”

$d58 = “online-room.online”

$d59 = “platinum-cnt.info”

$d60 = “crysus-h.info”

$d61 = “lynda-tricks.online”

$d62 = “message-live.online”

$d63 = “white-life-bl.info”

$d64 = “meet-work.info”

$d65 = “prj-ph.info”

$d66 = “hrd-dmn.info”

$d67 = “ntp-clock-h.info”

$d68 = “work-meeting.info”

$d69 = “ph-crtdomain.info”

$d70 = “nsim-ph.info”

$d71 = “warning-d.info”

$d72 = “live-meet.cloud”

$d73 = “live-meet.blog”

$d74 = “live-meet.info”

$d75 = “live-meet.cfd”

$d76 = “live-meet.live”

$d77 = “network-show.online”

$d78 = “redirect-review.online”

$d79 = “arizonaclub.me”

$d80 = “backback.info”

$d81 = “cloth-model.blog”

$d82 = “cook-tips.info”

$d83 = “network-review.xyz”

$d84 = “socks.beauty”

$d85 = “gallery-shop.online”

$d86 = “network-game.xyz”

$d87 = “good-news.cfd”

$d88 = “network-show-a.online”

$d89 = “panel-network.online”

$d90 = “panel-redirect.online”

$d91 = “encryption-redirect.online”

$d92 = “thomas-mark.xyz”

$d93 = “rap-art.info”

$d94 = “anna-blog.info”

$d95 = “arrow-click.info”

$d96 = “best85best.online”

$d97 = “shadow-network.best”

$d98 = “good-news.fashion”

$d99 = “warplogic.pro”

$d100 = “cyberlattice.pro”

$d101 = “show-verify.xyz”

$d102 = “top-game.online”

$d103 = “suite-moral.info”

$d104 = “nice-goods.online”

$d105 = “crysus-p.info”

$d106 = “wash-less.online”

$d107 = “ptr-cc.online”

$d108 = “white-car.online”

$d109 = “live-content.online”

$d110 = “bracs-lion.online”

$d111 = “storm-wave.online”

$d112 = “course-math.info”

$d113 = “food-tips-blog.online”

$d114 = “white-life.info”

$d115 = “ph-work.info”

$d116 = “normal-dmn.info”

$d117 = “panel-meeting.info”

$d118 = “prj-pa.info”

$d119 = “ntp-clock-p.info”

$d120 = “nsim-pa.info”

$d121 = “pa-crtdomain.info”

$d122 = “infinit-world.info”

$d123 = “alex-mendez-fire.info”

$d124 = “reg-d.info”

$d125 = “everything-here.info”

$d126 = “healthy-lifestyle.fit”

$d127 = “alpha-man.info”

$d128 = “lesson-first.info”

$d129 = “master-club.info” condition:

any of ($ip*) or any of ($d*)

}

Recommendations:

 Strategic

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Deploy Zero Trust Policy that leverages tools like security information management, advanced security analytics platforms, security user behaviour analytics, and other analytics systems to help the organization’s security personnel observe in real-time what is happening within their networks so they can orient defences more intelligently.
  • Block exploit-like Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management

  • Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation Reinforce this training with context-aware banners and in-line prompts to help educate users.
  • Look for email security solutions that use ML- and AI-based anti-phishing technology for BEC protection to analyze conversation history to detect anomalies, as well as computer vision to analyze suspect links within

Tactical

  • For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
  • Regular updates can contain new exploitable Ensure that all applications are updated with the latest security patch.
  • Employ robust endpoint security options that will allow your IT team to identify what confidential information is being stolen, when, and through what specific channel or device.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defenses based on the tactical intelligence
  • Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.

3. MAJOR GEOPOLITICAL DEVELOPMENTS IN CYBERSECURITY

Canada Bans China’s Surveillance Maker Over National Security Risks

The Canadian government has banned Chinese surveillance equipment maker Hikvision from operating in the country due to national security concerns. In an official statement, Canada’s Ministry of Innovation announced that following a National Security Review, the Government of Canada has ordered Hikvision Canada, Inc. to cease all operations and shut down its Canadian business as the government has determined that Hikvision’s continued presence would be harmful to Canada’s national security.

The government is also prohibiting all federal departments, agencies, and crown corporations from purchasing or using Hikvision products. Additionally, authorities are reviewing existing installations to ensure legacy Hikvision equipment is removed.

ETLM Assessment:

 The company is partly owned by the Chinese government, and under China’s 2017 National Intelligence Law, Chinese firms are legally required to cooperate with intelligence agencies if asked. This means that even if Hikvision claims to operate independently, it could be compelled to share data or grant access to its equipment without disclosure.

Although there is no publicly confirmed evidence showing China has used Hikvision cameras for espionage in other countries, authorities view the risk as significant. Hikvision devices have a history of serious security vulnerabilities, including a critical flaw discovered in 2021 that allowed attackers to remotely take control of cameras. These weaknesses could potentially be exploited for surveillance or cyberattacks targeting sensitive Canadian networks.

Canada’s decision also reflects broader concerns about how the Chinese government uses Hikvision technology for domestic surveillance, particularly in regions such as Xinjiang, where cameras are deployed to monitor and track populations. This connection reinforces the perception that Hikvision is closely tied to China’s security apparatus.

By banning Hikvision and ordering the removal of its equipment from government networks, Canada is aligning with allies like the United States, the United Kingdom, and Australia, which have already imposed similar restrictions. Even without direct evidence of exploitation, the combination of Chinese state ownership, mandatory cooperation with Chinese intelligence, a track record of security flaws, and the company’s role in domestic surveillance led Canadian authorities to conclude that continuing to allow Hikvision devices posed an unacceptable risk to national security.

CISA warns of potential threats from Iran

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to remain alert for potential Iranian cyberattacks amid rising geopolitical tensions. In a joint advisory with the FBI, NSA, and Department of Defense Cyber Crime Center (DC3), CISA warned that Iranian-linked cyber actors could soon target U.S. networks and devices.

“Given the current geopolitical environment, Iranian-affiliated cyber actors may conduct near-term cyber operations against U.S. organizations,” the advisory stated. Companies in the Defense Industrial Base (DIB), especially those connected to Israeli defense and research firms, face heightened risk. Previously, hacktivists and groups tied to the Iranian government frequently exploited poorly secured U.S. networks and internet-connected devices to carry out disruptive attacks, as exemplified by the attacks on water utilities in the US during the previous tensions.

ETLM Assessment:

As the dust settles over the initial hot stage of the war between Israel and Iran, a parallel cyber conflict is unfolding—one that was previously largely overshadowed by the spectacle of missile strikes and air raids. Yet this digital battlefield is just as strategically significant. Both nations are using cyber operations to sabotage infrastructure, disrupt military planning, and undermine financial networks. While the physical war dominates headlines so far, the cyber war may prove more enduring, with long-term impacts on critical systems and civilian life that are less visible but strongly contributing to the efforts of both nations.

Iran’s cyberattacks have yielded mixed results, often with exaggerated or fabricated impacts to heighten psychological effects. Overhyping these incidents risks amplifying the attackers’ influence. Still, individual businesses could face serious consequences and should adopt ransomware prevention measures to mitigate risks.

Ukrainian Hackers Steal Data Related to Russian Electronic Warfare 

Tens of gigabytes of secret data on Russia’s strategic electronic warfare systems has been hacked by the pro-Ukrainian hacker group. The hackers announced that they have obtained a large quantity of data on Russia’s EW systems, including technical specifications, diagrams, official correspondence, equipment setup methods, drawings, test reports, and functional information.

“We got more than just the external appearance. We see the internal logic, architecture, connections between nodes, we know who designed it, which companies supplied the units, which research institutes are responsible for the developments. … We received a number of important military developments along with protocols, engineering solutions and approvals from the Russian Ministry of Defence. In addition, we managed to establish the entire chain of enterprises involved in production and supply. … And it is also important that all the persons involved in the development and creation of these stations were identified. Upon completion of the operation, the RDK had their names, addresses, car numbers, places of work.”

The hacked documents also reveal that Russia exploits China’s satellites, apparently without China’s knowledge, as Russia uses civilian Chinese satellites to cover the calibration of its systems.

ETLM Assessment:

Russia has invested heavily in its EW systems to compensate for its relative lack of satellites, compared to the United States or China. The leak is likely to be a considerable setback, as it will enable Ukraine’s Western partners to develop effective countermeasures to Russia’s electronic warfare, which will effectively mean an important fusion of cyber and kinetic capabilities on the battlefield and further technological falling behind by Russia, which proved to be increasingly vulnerable to Western tech.

4. RISE IN MALWARE / RANSOMWARE  AND PHISHING

Qilin Ransomware Impacts the Quaser Machine Tools, Inc

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Taiwan
  • Ransomware: Qilin Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan, Quaser Machine Tools, Inc (https[:]//www[.]quaser[.]com/), was compromised by Qilin Ransomware. Quaser Machine Tools, Inc. is a Taiwan-based company that manufactures and sells various machine tools, primarily CNC (computer numerical control) machine tools. The compromised data includes employee personal information, employment contracts, contact details, production department records, source code, administrative documents, customer information, customer orders, business opportunity details, 3D drawings, quality assurance records, assembly data, product research and development files, product testing data, photographs, correspondence, internal business documents, and other sensitive information. The total volume of exposed data is approximately 2 terabytes.

Relevancy & Insights:

  • Recently, we observed that Qilin offers a “Call Lawyer” function on its affiliate panel, allowing affiliates to request legal consultation during ransom negotiations. This tactic is designed to increase pressure on victims by introducing legal risks and potentially inflating the ransom The presence of legal counsel in negotiations can intimidate organizations, making them more likely to pay to avoid legal complications.
  • The Qilin Ransomware group primarily targets countries such as the United States of America, Canada, France, Singapore, and Taiwan.
  • The Qilin Ransomware group primarily targets industries, including Industrial Machinery, Business Support Services, Health Care Providers, Heavy Construction, and Manufacturing.
  • Based on the Qilin Ransomware victims list from 1stJan 2025 to 02nd July 2025, the top 5 Target Countries are as follows:

  • The Top 10 Industries most affected by the Qilin Ransomware victims list from 1st Jan 2025 to 02nd July 2025 are as follows:

ETLM Assessment:

 According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and focus on speed and evasion, make it a particularly dangerous actor.

Lynx Ransomware Impacts Siamgas and Petrochemicals Public Company Ltd

  • Attack Type: Ransomware
  • Target Industry: Energy
  • Target Geography: Thailand
  • Ransomware: Lynx Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand; Siamgas and Petrochemicals Public Company Ltd (https[:]//www[.]siamgas[.]com/), was compromised by Lynx Ransomware. Siamgas and Petrochemicals Public Company Ltd is a leading LPG distributor in Thailand and East Asia. The company operates in five countries: Thailand, China, Singapore, Malaysia, and Vietnam. The compromised data consists of confidential and sensitive information related to the organization.


Source: Dark Web

Relevancy & Insights:

  • Lynx offers multiple encryption modes (fast, medium, slow, and entire) to balance the speed and depth of It uses Curve25519 Donna and AES-128 encryption algorithms.
  • Lynx offers cross-platform ransomware binaries for Windows and Linux environments, supporting various architectures like x86, ARM, MIPS, PPC, and
  • Lynx provides a comprehensive platform for affiliates, including tools for managing victims, negotiating ransoms, and sharing access with sub-affiliates.
  • The Lynx Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Germany, Australia, and Sweden.
  • The Lynx Ransomware group primarily targets industries, including Heavy Construction, Retail, Business Support Services, Industrial Machinery, and Specialized Consumer Services.
  • Based on the Lynx Ransomware victims list from 1st Jan 2025 to 02nd July 2025, the top 5 Target Countries are as follows:

  • The Top 10 Industries most affected by the Lynx Ransomware victims list from 1stJan 2025 to 02nd July 2025 are as follows:

ETLM Assessment:

 According to CYFIRMA’s assessment, Lynx ransomware has emerged as a significant threat in the cybersecurity landscape, leveraging advanced encryption and double extortion tactics to target small and medium-sized businesses. Its structured affiliate program and versatile ransomware toolkit make it a formidable force in the RaaS ecosystem.

4. VULNERABILITIES AND EXPLOITS

Vulnerability in Zhiyuan OA

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Software
  • Vulnerability: CVE-2025-34040
  • CVSS Base Score: 0 Source
  • Vulnerability Type: Path Traversal
  • Summary: The vulnerability allows a remote attacker to perform directory traversal attacks.

Relevancy & Insights: The vulnerability exists due to an input validation error when processing directory traversal sequences in the wpsAssistServlet interface.

Impact: A remote attacker can upload arbitrary files onto the system.

Affected Products:

https[:]//service[.]seeyon[.]com/patchtools/tp.html#/patchList?type=%E5%AE%89 %E5%85%A8%E8%A1%A5%E4%B8%81&id=1

Recommendations:

  • Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK

This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:

Vulnerability in the Zhiyuan OA platform can pose significant threats to user privacy and security. This can impact various industries globally, including government, education, healthcare, and enterprise sectors. Ensuring the security of the Zhiyuan OA platform is crucial for maintaining the integrity and protection of sensitive organizational data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding internal communication, workflow automation, and administrative operations across different geographic regions and sectors.

6 . L a t e s t C y b e r – A t t a c k s , I n c i d e n t s , a n d B r e a c h e s

Play Ransomware attacked and published the data of the View Zuellig Industrial

  • Threat Actor: Play Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Transportation, Logistics, Supply Chain, and Storage
  • Target Geography: Thailand
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:

Recently, we observed that Play Ransomware attacked and published the data of the View Zuellig Industrial(www[.]zuelligindustrial[.]com) on its dark web website.

Zuellig Industrial is a leading B2B company based in Bangkok, Thailand, specializing in transportation, logistics, supply chain management, and storage solutions across the Asia-Pacific region. The company is focused on the marketing, sales, and distribution of technical products and value-added industrial solutions. Its portfolio includes automation and control systems, water treatment technologies, industrial chemicals, technical equipment, tools, and specialized solutions for the personal care and food industries. The data leak, following the ransomware attack, encompasses private and personal confidential data, clients’ documents, budget, payroll, accounting, taxes, IDs, finance information, etc.

Relevancy & Insights:

 Recently, we observed a new Play ransomware variant targeting VMware ESXi virtual machines, marking the first Linux-based Play ransomware. The variant detects ESXi environments, shuts down virtual machines, and encrypts VM disks, configuration files, and metadata, appending the .PLAY extension to encrypted files. Ransom notes are left in root directories and displayed on ESXi login portals, increasing pressure on victims to pay.

ETLM Assessment:

 According to CYFIRMA’s assessment, Play Ransomware continues to evolve as a significant threat within the cybersecurity landscape, marked by its innovative tactics and recent collaborations with other threat actors. Organizations are advised to enhance their cybersecurity measures by implementing robust defenses against phishing attacks, maintaining updated security protocols, and monitoring for unusual network activity to mitigate risks associated with this evolving threat actor. Continuous vigilance is essential as ransomware groups adapt their strategies and expand their operations.

7.   DATA LEAKS

Saudi Mining & Logistics Firm Kalad’s Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Mining and Logistics
  • Target Geography: Saudi Arabia
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:

The CYFIRMA Research team observed a data leak related to Saudi Mining & Logistics Firm Kalad(https://kalad[.]com.sa/) in an underground forum. A threat actor has allegedly breached Kalad, a company described as a mining and logistics contractor in Saudi Arabia. In a post on a cybercrime forum, the hacker claimed to have not only exfiltrated the company’s entire database but also defaced its official website, kalad[.]com[.]sa. The post included a screenshot of the defaced homepage as proof of the intrusion.

Kalad is allegedly a contractor in Saudi Arabia’s vital mining and logistics sector. Companies in this industry play a significant role in the Kingdom’s supply chain and economic infrastructure, making them potentially high-value targets for cyberattacks. The successful breach of such an entity could expose sensitive operational and commercial data, impacting its clients and business continuity.

The threat actor advertised a full database dump for download, which allegedly contains a wide range of sensitive information. The attacker also claimed the breach was accomplished using a “Zero-Day exploit.” The compromised data allegedly includes:

  • Full client records
  • Internal emails
  • Employee credentials
  • Contract files and more

Source: Underground Forums

Thai Conglomerate BTS Group Holdings Data Advertised on a Leak Site

  • Attack Type: Data leak
  • Target Industry: Conglomerate Transportation & Infrastructure
  • Target Geography: Thailand
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:

The CYFIRMA Research team observed that a threat actor, “ByteToBreach”, has breached BTS Group Holdings, a major Thai conglomerate, and is offering stolen data for sale on a well-known hacking forum. The attacker claims to possess the complete database from ewet[.]bts[.]co[.]th, believed to be the company’s internal training or learning management portal. The dataset is being sold for $350, with the seller also offering “super admin” access to the site and a PHP reverse shell, potentially enabling deeper access into BTS Group’s internal network.

BTS Group Holdings plays a vital role in Thailand’s economy, primarily known for operating the BTS Skytrain and Bangkok BRT systems. The company also has substantial investments in media, real estate, and various service sectors, making it an attractive target for cybercriminals.

According to the leaked screenshots, the compromised system contains records for 6,277 users, with the exposed data allegedly including a broad range of personally identifiable information (PII). This information could be exploited for phishing attacks, identity theft, and other malicious purposes.

The threat actor provided screenshots showing the website’s administration panel and a large spreadsheet containing user data. An analysis of the images indicates the following information has allegedly been compromised:

  • Full names
  • Usernames and hashed passwords
  • Email addresses
  • Phone numbers
  • Institutional and departmental details
  • IP addresses
  • Physical addresses
  • A range of other system-related user data

Source: Underground Forums

Relevancy & Insights:

Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:

The threat actor known as “ByteToBreach” has recently emerged as a highly active group specializing in data leaks. Verified reports link the group to multiple breaches involving unauthorized system access and the sale of stolen data on dark web marketplaces.

ByteToBreach’s ongoing activity highlights the evolving and persistent nature of cyber threats originating from the dark web. These incidents underscore the urgent need for organizations to strengthen their cybersecurity posture through continuous monitoring, effective use of threat intelligence, and proactive security measures to protect critical information assets.

Recommendations:

Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8.   OTHER OBSERVATIONS

The CYFIRMA Research team observed that a threat actor has allegedly put the financial and personal data of Indian conglomerate Bajaj Finserv’s customers and employees up for sale on a dark web forum. Bajaj Finserv is a prominent non- banking financial services company in India, offering a vast portfolio of products, including loans, insurance, and wealth management to over 100 million customers. A breach of this magnitude could have significant consequences for the individuals whose data has been compromised.

The seller on the forum claims to possess a database containing information on 207,000 unique users. To substantiate their claim, the actor shared a sample of the data, which appears to contain an extensive amount of sensitive information. The potential leak includes a wide range of personal, financial, and internal company data, which could be exploited by malicious actors for phishing campaigns, identity theft, and other fraudulent activities. The scale and detail of the allegedly leaked information underscore the critical importance of robust cybersecurity measures for financial institutions.

The data, which is being sold for an undisclosed amount in Monero (XMR), allegedly includes numerous fields of customer and internal information. The exposure of such comprehensive data could lead to significant financial and reputational damage for the company and pose a serious privacy risk to its customers and employees.

While the company has not yet publicly addressed the alleged incident, the situation highlights the persistent threats facing large corporations that handle sensitive data.

Some of the allegedly leaked data points include:

  • First and Last Names
  • Phone and Mobile Numbers
  • Email Addresses
  • Physical Addresses (City, State, ZIP Code)
  • Date of Joining / Creation Date
  • Employment Details (Department, Title, Employee ID)
  • Account Details (Account Number, Loan Amount, Bank IFSC/MICR)
  • Beneficiary Account Number and Name
  • Customer and Dealer Information
  • Risk Classification and Scores

Source: Underground Forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM
  • Detection processes are tested to ensure awareness of anomalous Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News [NEW]

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.