CYFIRMA Research and Advisory Team would like to highlight ransomware trends and The CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geographies, and technologies that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Introduction:
CYFIRMA’s Research and Advisory Team has found Rex Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Rex Ransomware
Rex ransomware was identified as a ransomware strain that encrypts files on compromised systems and appends the “.rex48” extension to affected filenames, although the numeric suffix may vary depending on the variant. For example, files such as “1.jpg” and “2.png” are renamed to “1.jpg.rex48” and “2.png.rex48”. After completing the encryption process, the malware creates an HTML ransom note named “RANSOM_NOTE.html”. The ransomware also claims to have exfiltrated confidential data from the victim’s network, indicating a double-extortion attack designed to pressure organizations into paying the ransom.
Screenshot: File encrypted by ransomware (Source: Surface Web)
The ransom note states that the victim’s company network has been penetrated and warns against using third-party recovery tools, modifying encrypted files, or renaming them, claiming such actions could permanently corrupt the data. The attackers claim that confidential and personal information has been collected and stored on a private server, with threats to publicly release or sell the data if payment is not made. Victims are offered free decryption of 2–3 non-important files as proof that recovery is possible and are instructed to contact the operators through the provided email addresses or Tor- based chat service. The note also states that the ransom demand will increase if contact is not established within 72 hours.
Screenshot: The appearance of Rex’s Ransom Note (Source: Surface Web)
Screenshot: The appearance of Rex’s TOR chat window (Source: Surface Web)
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1106 | Native API |
| Execution | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1055 | Process Injection |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1552 | Unsecured Credentials |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1518 | Software Discovery |
| Collection | T1005 | Data from Local System |
| Collection | T1074 | Data Staged |
| Collection | T1114 | Email Collection |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1071 | Application Layer Protocol |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1564 | Hide Artifacts |
| Defense Impairment | T1562 | Impair Defenses |
| Impact | T1486 | Data Encrypted for Impact |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s analysis indicates that Rex ransomware currently operates as a double- extortion malware campaign designed to target enterprise and corporate environments through file encryption and alleged data theft. The ransomware encrypts files on compromised systems and appends variant-specific extensions such as “.rex48” to affected files before dropping an HTML-based ransom note titled “RANSOM_NOTE.html”. The note instructs victims not to rename encrypted files or use third-party recovery solutions, while simultaneously pressuring organizations through threats of public data exposure. The operators claim to have collected confidential and personal information from the victim’s network and leverage this claim to intensify extortion pressure beyond operational disruption caused by encryption alone. The inclusion of free decryption for a limited number of files is consistent with tactics used to establish credibility during ransom negotiations and increase the likelihood of payment.
The ransomware’s operational structure suggests a focus on maintaining persistence in victim communication and maximizing negotiation control through multiple contact mechanisms, including email-based communication and Tor-based channels. The language used in the ransom note indicates a deliberate attempt to discourage victims from seeking external recovery assistance or incident response support. Rex ransomware also demonstrates characteristics commonly associated with modern financially motivated ransomware activity, including enterprise-focused targeting, psychological pressure tactics, and the integration of data-leak threats into the extortion lifecycle. The emphasis on “company network” compromise indicates that the operators are likely prioritizing organizational victims where operational downtime and potential reputational damage can significantly increase pressure to comply with ransom demands.
CYFIRMA assesses that ransomware operations such as Rex are likely to evolve toward more advanced and modular attack frameworks capable of adapting to different enterprise environments. Future variants may incorporate stronger defense evasion capabilities, faster encryption mechanisms, and broader support for lateral movement across networked systems to increase operational impact before detection occurs. Threat actors behind such ransomware campaigns may also continue enhancing data exfiltration workflows and extortion strategies by integrating automated reconnaissance, credential harvesting, and selective targeting of critical business assets. In addition, future iterations may increasingly rely on anonymized communication infrastructure, multi-stage payload deployment, and customizable ransom negotiation models to improve operational resilience and maximize financial returns from enterprise victims.
Sigma rule:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet
selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
Type: Stealer| Objectives: Data Exfiltration | Target Technology: MacOS |
Target Geography: Global, (Blocked Countries: Russia, Belarus, Kazakhstan, Armenia, and Ukraine) |Targeted Hardware: M2, M3 & M4
CYFIRMA collects data from various forums, based on which trends are ascertained. We identified a few popular malware samples that are being distributed in the wild to launch cyberattacks on organizations and individuals.
Active Malware of the week
This week, “Ultimate Stealer” Stealer is in focus.
Overview of Operation Ultimate Stealer Malware
Analysis of the Ultimate Stealer sample reveals a sophisticated, cross-platform data- exfiltration program deliberately engineered to covertly infiltrate user systems, extract sensitive information, and minimize forensic evidence of its activity. Presented under the guise of a legitimate script, the program integrates social engineering techniques, system manipulation, and stealth mechanisms to obtain elevated privileges on targeted machines. Its modular architecture supports remote updates, selective execution based on hardware and geographic parameters, and adaptive operational behavior that differentiates it from conventional opportunistic malware.
The program prioritizes the collection of high-value data, including browser credentials, cryptocurrency wallet artifacts, messaging session tokens, system metadata, and clipboard contents. It leverages trusted system components and commonly permitted applications to bypass user consent controls and security prompts, while also attempting to establish persistence to ensure silent re-execution after system restarts. To avoid detection, it incorporates obfuscation techniques, fileless execution patterns, and process-injection methods that allow its activities to blend with normal operating system processes.
Network observations indicate encrypted communications with external endpoints for geolocation checks and data exfiltration, often using widely trusted web services to disguise outbound traffic. Upon completing its objectives, the program attempts to remove temporary artifacts, clear activity traces, and dismantle persistence mechanisms to complicate forensic analysis. This case underscores the evolving sophistication of modern threats and highlights the importance of layered defensive strategies, continuous monitoring, and user awareness in contemporary cybersecurity environments.
Attack Method
The attack sequence commences with the execution of a seemingly legitimate JavaScript that conducts comprehensive environmental validation prior to initiating malicious operations. The program systematically fingerprints the host by collecting hardware identifiers, operating system details, memory capacity, processor information, and user account attributes. It further performs geolocation verification through an external IP intelligence service to ensure that the target system aligns with predefined operational criteria. These preliminary checks enable the program to avoid execution in sandboxed, research, or non-target environments, thereby reducing the probability of early detection.
Following validation, the program attempts to access sensitive data sources by leveraging native operating system utilities rather than relying exclusively on embedded malicious routines. Concurrently, it employs scripted dialog prompts designed to resemble legitimate system messages, thereby persuading the user to provide authentication credentials. These credentials are subsequently utilized to achieve privilege escalation through standard administrative command pathways, minimizing the presence of overt exploit artifacts.
To circumvent privacy controls and user consent mechanisms, the program utilizes automation scripts to interact with trusted system applications, allowing malicious commands to be executed within legitimate process contexts. It also attempts to establish persistence by creating a launch daemon configured to execute with elevated privileges during system startup. This persistence mechanism is deliberately disguised with identifiers resembling authentic system services, reducing the likelihood of detection during routine system review.
In the final phase, the program employs advanced evasion and data exfiltration techniques. Additional functional modules are retrieved from remote sources to dynamically extend operational capabilities without modifying the original script. Collected data is compressed, encoded, and transmitted to external endpoints through encrypted communication channels that resemble legitimate web traffic. Upon completing its objectives, the program initiates cleanup procedures to remove temporary artifacts, clear command histories, and dismantle persistence components, thereby complicating subsequent forensic analysis.
Following are the TTPs based on the MITRE Attack Framework for Enterprise
| Tactic | Technique ID | Technique Name |
| Execution | T1059:007 | Command and Scripting Interpreter: JavaScript |
| Execution | T1204 | User Execution |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1202 | Indirect Command Execution |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
INSIGHTS
A prominent feature of the analyzed malware is its intentional reliance on contextual evaluation before initiating any meaningful activity. The program performs selective assessment of hardware characteristics, geographic indicators, and overall system conditions, suggesting that its execution is restricted to specific and favorable environments. This disciplined approach indicates a calculated design in which operations are confined to carefully chosen targets to minimize unnecessary exposure.
Another key observation is the malware’s methodical alignment with legitimate system operations and routine user interactions. Instead of adopting intrusive or disruptive tactics, it leverages standard system tools, familiar application environments, and expected user-facing prompts to achieve its objectives. This measured operational style enables the malware to remain indistinguishable from normal system behavior, thereby reducing the likelihood of detection through unusual activity patterns.
Furthermore, the malware follows a well-structured sequence of actions in which data collection, privilege management, persistence mechanisms, communication, and cleanup are executed in a coordinated and orderly manner. Each stage appears designed to support the next while limiting residual artifacts. This systematic flow reflects a focus on operational consistency and discretion, allowing the malware to operate efficiently without leaving readily observable signs of compromise.
ETLM ASSESSMENT
From an ETLM standpoint, the emergence of threats characterized by subtlety and contextual awareness signifies a movement toward attack approaches that integrate seamlessly with ordinary organizational routines. Such developments are expected to reduce the clarity with which malicious behavior can be distinguished from legitimate system activity, thereby obscuring traditional signs of compromise. As employees continue to rely on familiar tools and processes in their daily work, these routine interactions may inadvertently provide opportunities for such threats to sustain their presence.
In the longer term, the increasing overlap between standard operational workflows and concealed malicious actions may contribute to a progressively ambiguous threat environment. This convergence is likely to make the identification of irregularities more complex, heightening the challenges associated with maintaining awareness of potential risks across both organizational systems and individual user activities.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rule
import “hash”
rule UltimateStealer_MacOS_Node
{
meta:
description = “Detects Ultimate macOS Node-based stealers via hashes and behavioral strings”
author = “CYFIRMA” date = “2026-04-12”
strings:
/* Behavioral indicators */
$s1 = “Chrome Safe Storage”
$s2 = “security find-generic-password”
$s3 = “osascript -e”
$s4 = “com.apple.softwareupdate.plist”
$s5 = “ipapi.co/json”
$s6 = “discord.com/api/webhooks”
$s7 = “sysctl -n machdep.cpu.brand_string”
$s8 = “LaunchDaemons/com.apple.softwareupdate.plist”
$s9 = “history -c”
$s10 = “gzipSync”
$s11 = “Buffer.from”
$s12 = “node ${process.argv[1]} –silent”
condition: (
hash.md5(0, filesize) == “17f0a28f279e276ae7105cabcd956f73” or hash.sha1(0, filesize) == “4d150b31817f286ffd49fb6230c61d3b6fd4ee8d” or hash.sha256(0, filesize) ==
“ef02d5b2711367205087840e84a6a498a0c74fa7d408aacccd6650622520f8cc”
)
or
(7 of ($s*))
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
MuddyWater Continues Persistent Intelligence Collection Through Covert Access Operations
About the Threat Actor
MuddyWater is an advanced persistent threat (APT) group widely believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS), with a longstanding history of espionage-focused cyber operations. The group is known for targeting organizations in the Middle East using PowerShell-based in-memory attack techniques associated with “living-off-the-land” tactics. These methods avoid deploying new binaries on compromised systems, enabling the attackers to maintain a low detection profile and minimal forensic footprint.
Details on Exploited Vulnerabilities
| CVE ID | Affected Products | CVSS Score | Exploit Links |
| CVE-2017-0199 | Microsoft Office | 7.8 | Link1, link2, link3 |
| CVE-2017-8759 | Microsoft .NET Framework | 7.8 | link |
| CVE-2017- 11882 | Microsoft Office | 7.8 | link |
| CVE-2017- 17215 | Huawei HG532 | 8.8 | – |
| CVE-2020-0688 | Microsoft Exchange software | 8.8 | Link1, link2 |
| CVE-2026-1731 | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) | 9.8 | – |
| CVE-2017-5715 | Microprocessors | 5.6 | Link1, Link2 |
| CVE-2018-8611 | Microsoft Windows | 7.8 | – |
| CVE-2019-0797 | Microsoft Windows Win32k | 7.8 | – |
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1590 | Gather Victim Network Information |
| Resource Development | T1588.002 | Obtain Capabilities: Tool |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Resource Development | T1588.001 | Obtain Capabilities: Malware |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Initial Access | T1566 | Phishing |
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| Execution | T1059.007 | Command and Scripting Interpreter: JavaScript |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1559.001 | Inter-Process Communication: Component Object Model |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Execution | T1204.004 | User Execution: Malicious Copy and Paste |
| Execution | T1559.002 | Inter-Process Communication: Dynamic Data Exchange |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1137.001 | Office Application Startup: Office Template Macros |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Stealth | T1218.003 | System Binary Proxy Execution: CMSTP |
| Stealth | T1218.005 | System Binary Proxy Execution: Mshta |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Stealth | T1574.001 | Hijack Execution Flow: DLL |
| Stealth | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Stealth | T1684.001 | Social Engineering: Impersonation |
| Stealth | T1027.010 | Obfuscated Files or Information: Command Obfuscation |
| Stealth | T1027.003 | Obfuscated Files or Information: Steganography |
| Stealth | T1027.004 | Obfuscated Files or Information: Compile After Delivery |
| Stealth | T1218.011 | System Binary Proxy Execution: Rundll32 |
| DefenseImpairment | T1685 | Disable or Modify Tools |
| Credential Access | T1555 | Credentials from Password Stores |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| Credential Access | T1003.004 | OS Credential Dumping: LSA Secrets |
| Credential Access | T1003.005 | OS Credential Dumping: Cached Domain Credentials |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| LateralMovement | T1210 | Exploitation of Remote Services |
| LateralMovement | T1534 | Internal Spearphishing |
| Collection | T1113 | Screen Capture |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1074.001 | Data Staged: Local Data Staging |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1104 | Multi-Stage Channels |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1090 | Proxy |
| Command and Control | T1090.002 | Proxy: External Proxy |
| Command and Control | T1219.002 | Remote Access Tools: Remote Desktop Software |
| Command and Control | T1102.002 | Web Service: Bidirectional Communication |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Latest Developments Observed
The threat actor is suspected of leveraging Chaos ransomware to target organizations across the construction, manufacturing, and business services sectors in the United States and several European countries, including United Kingdom, Sweden, Austria, Germany, Poland, and Italy. Initial access is believed to be obtained through social engineering techniques and abuse of remote access services to establish a foothold within targeted environments. The campaign appears to be financially motivated and aligned with triple extortion strategies involving exfiltration of sensitive information, monetary demands, and the threat or execution of DDoS attacks.
ETLM Insights
MuddyWater operations are primarily focused on long-term intelligence collection, covert access, and strategic surveillance rather than financially motivated activity. The group continues to evolve its operational capabilities and infrastructure strategy to support persistent espionage operations across strategically important environments.
The actor’s behaviour reflects three core strategic drivers:
Looking ahead, the threat actor is likely to continue refining its extortion-centric operations through broader geographic targeting, enhanced intrusion automation, and increasingly disruptive coercion tactics aimed at sustaining operational leverage and reducing victim recovery flexibility.
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
YARA Rules
rule Suspicious_Infrastructure_and_Malware_Artifacts
{
meta:
description = “Detects suspicious infrastructure, malware filenames, hashes, and exploit references observed in the campaign”
author = “CYFIRMA” date = “2026-05-12”
version = “1.1” strings:
/* CVE References */
$cve_1 = “CVE-2015-5122” ascii nocase
$cve_2 = “CVE-2012-0158” ascii nocase
$cve_3 = “CVE-2010-3333” ascii nocase
$cve_4 = “CVE-2014-1761” ascii nocase
$cve_5 = “CVE-2017-1215” ascii nocase
$cve_6 = “CVE-2026-1731” ascii nocase
$cve_7 = “CVE-2017-0199” ascii nocase
/* IP Indicators */
$ip_1 = “146.70.124.102” ascii
$ip_2 = “45.67.230.91” ascii
$ip_3 = “94.131.109.65” ascii
$ip_4 = “94.131.98.14” ascii
$ip_5 = “95.164.38.99” ascii
$ip_6 = “64.233.181.94” ascii
/* Domain Indicators */
$dom_1 = “downloadfile.egnyte.com” ascii nocase
$dom_2 = “fileuploadcloud.egnyte.com” ascii nocase
$dom_3 = “airpazflys.egnyte.com” ascii nocase
$dom_4 = “airpaz.egnyte.com” ascii nocase
$dom_5 = “softwarehosts.com” ascii nocase
$dom_6 = “smtpcloudapp.com” ascii nocase
$dom_7 = “onlinemailservices.com” ascii nocase
/* File / Hash Indicators */
$sha256_1 = “28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaf03797511aa” ascii nocase
$file_1 = “ynkf.exe” ascii nocase
$file_2 = “solidworks-5.25.483-win-x64.exe” ascii nocase
$file_3 = “pbidesktopsetup-5.25.483-win-x64.exe” ascii nocase
$file_4 = “notionsetup-5.25.483-win-x64.exe” ascii nocase
$file_5 = “chiefarchitect-2026-latest-5.3-win-x64.exe” ascii nocase
condition: (
any of ($dom_*) and
any of ($file_*)
)
or (
any of ($ip_*) and
any of ($cve_*)
)
or (
$sha256_1
)
}
Recommendations Strategic
Management
Tactical
Iranian Hackers Use Ransomware as Espionage Cover
A new report from cybersecurity researchers reveals that MuddyWater, an Iranian state-sponsored group linked to the Ministry of Intelligence and Security, is using Chaos ransomware to mask its espionage operations. By adopting the branding of a known cybercriminal operation, the group aims to obscure its true intent and complicate attribution efforts by Western law enforcement. Researchers noted that the group’s increased activity in early 2026 has intensified its reliance on these deceptive false-flag tactics.
The discovery followed an investigation into an intrusion that initially looked like a standard ransomware attack but lacked typical file encryption. The hackers gained access through a social engineering campaign on Microsoft Teams, where they initiated chat requests and used screen-sharing sessions to steal VPN credentials. Despite the clumsy extortion attempt, the attackers successfully leaked legitimate company data. Rapid7 eventually traced the malware and infrastructure back to MuddyWater’s established toolkit and previous Middle Eastern campaigns.
ETLM Assessment:
This incident highlights a growing convergence between nation-state actors and cybercriminal tradecraft. MuddyWater has a history of using ransomware ecosystems, such as Qilin, to maintain plausible deniability while conducting state business. This trend is not exclusive to Iran; state-sponsored groups from China, Russia, and North Korea have also been observed adopting ransomware frameworks to hide data exfiltration or to moonlighting for financial gain as noted by CYFIRMA researchers before. By blurring their motivations, these actors create significant challenges for cyber defenders and international investigators.
Hackers Target Aviation Firms for Geospatial Data
As regional conflicts intensify, threat actors are increasingly targeting geospatial mapping and GPS data to locate enemy assets and assess rival intelligence capabilities. Cybersecurity researchers have identified a sophisticated group dubbed HeartlessSoul (also known as Versatile Werewolf), which utilizes phishing and malvertising to compromise aerospace firms and drone operators. The group lures victims by hosting malware on sites disguised as legitimate aviation software installers and has even planted malicious projects on the SourceForge download service.
The primary objective of HeartlessSoul appears to be the collection of sensitive Geographic Information System (GIS) data, including shapefiles and digital relief maps, currently focused on Russian government and enterprise systems. Analysts note that stealing GIS data provides “operational ground truth,” allowing adversaries to see exactly how a victim perceives terrain, infrastructure, and logistics routes. This intelligence offers immense value for disrupting operations and tracking asset movements.
ETLM Assessment:
HeartlessSoul employs advanced techniques, such as multi-stage infections, fileless execution, and Windows shortcut exploits, to deploy remote access Trojans. While no formal attribution has been made, researchers link these campaigns to pro-Ukrainian interests because they target Russian defense contractors and drone forums to steal the “operational ground truth” – the precise mapping of infrastructure and logistics that allows Ukraine to plan precision strikes and exploit gaps in the Russian military’s own awareness of the terrain.
To mitigate these risks, experts recommend that organizations protect their “crown jewels” – such as flight-planning and engineering software – through zero-trust security measures and network segmentation. By focusing defense investments on the specific workstations that handle critical GIS data, businesses can reduce operational risk without over-burdening non-critical environments.
SafePay Ransomware Impacts Hokuyo Co., Ltd.
Summary:
CYFIRMA observed in an underground forum that a company from Japan, Hokuyo Co., Ltd. (https[:]//hokuyo2006[.]co[.]jp/), was compromised by SafePay Ransomware. Hokuyo Co., Ltd. is a Japanese company that operates as part of a larger industrial group connected to packaging, logistics, and housing-related businesses. It is affiliated with the Tomoku Group, a publicly listed corporation specializing in corrugated packaging and logistics solutions. The company contributes to integrated supply chain operations, including transportation, warehousing, and distribution services across Japan. Its business model focuses on optimizing logistics efficiency, reducing operational costs, and supporting industrial clients through advanced distribution systems. Hokuyo benefits from group synergies, particularly in packaging manufacturing and logistics infrastructure, allowing it to provide end-to-end solutions. The SafePay ransomware group claims to have compromised and exposed internal directory data belonging to Hokuyo Co., Ltd., including administrator-related folders, employee user directories, desktop and document files, fax records, and multiple named user accounts likely associated with company staff. The leaked index suggests potential exposure of internal corporate documents, employee workstation data, operational records, communication files, and business-related information connected to the company’s packaging, logistics, and distribution operations. The presence of numerous user-specific folders indicates that sensitive employee and organizational data may have been accessed as part of the ransomware incident.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, SafePay represents a sophisticated, fast- moving ransomware threat capitalizing on VPN weaknesses and credential theft, employing effective double extortion tactics to maximize ransom payments. Organizations, especially in highly targeted sectors and regions, must prioritize layered defenses and active hunting for early detection.
The Gentlemen Ransomware Impacts Marutake
Attack Type: Ransomware
Target Industry: Healthcare
Target Geography: Japan
Ransomware: The Gentlemen Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
CYFIRMA observed in an underground forum that a company from Japan, Marutake (https[:]//www[.]kk-marutake[.]co[.]jp/), was compromised by The Gentlemen Ransomware. Marutake Co., Ltd. is a comprehensive pharmaceutical and medical wholesale company founded on June 15, 1925, and headquartered in Niigata City, Japan, with a 100-year history of connecting manufacturers to healthcare providers across the region. The company distributes prescription pharmaceuticals, medical devices, clinical diagnostic reagents, hygiene materials, nursing care products, and healthcare IT systems to hospitals, clinics, and pharmacies, primarily across Niigata, Yamagata, Miyagi, Akita, Tokyo, and Gunma prefectures. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Palo Alto Networks PAN-OS
Relevancy & Insights:
The vulnerability exists due to a boundary error within the User-ID Authentication Portal (aka Captive Portal) service.
Impact:
A remote attacker can send specially crafted packets to the device, trigger an out-of-bounds write and execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls.
Note, the vulnerability is being actively exploited in the wild.
Affected Products:
https://security.paloaltonetworks.com/CVE-2026-0300
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Palo Alto Networks PAN-OS introduces significant risks to enterprise network security infrastructures that rely on perimeter defense, identity-based policy enforcement, and secure access control. As PAN-OS is widely deployed across enterprise firewall environments, exploitation of this vulnerability could allow attackers to compromise critical security appliances, disrupt network traffic inspection, or gain unauthorized control over protected infrastructure. Organizations leveraging enterprise firewall platforms must ensure timely patching, secure exposure management, and continuous monitoring to prevent potential compromise. Addressing this vulnerability is essential to maintaining the integrity, availability, and security of enterprise network defense environments.
Killsec Ransomware attacked and published the data of Medical Pay
Summary:
Recently, we observed that Killsec Ransomware attacked and published the data of Medical Pay (https[:]//medical-pay[.]jp/) on its dark web website. Medical Pay is a medical financing and payment facilitation company based in Japan (Tokyo) that provides healthcare payment support services. The ransomware leak page associated with Medical PAY indicates that sensitive healthcare-related data may have been compromised, including scanned prescription documents, patient medical records, healthcare transaction information, and personally identifiable information (PII) visible in uploaded medical forms and prescription images. Based on the preview images displayed on the disclosure page, the exposed data could include patient names, prescription details, medical institution information, treatment-related records, billing or payment information, and other confidential healthcare documents associated with the Medical PAY platform.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
The emergence and evolution of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally.
According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.
Hakara Data Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum by a threat actor using the alias “Xorcat,” claiming responsibility for a large-scale data leak associated with Hakara[.]vn, a Vietnam-based karaoke and social singing application available on both the Apple App Store and Google Play. In the forum post, the actor alleges that approximately 161,000 user records were extracted from an improperly secured Elasticsearch instance exposed to the internet without authentication. The threat actor claims the exposure resulted from a publicly accessible /users/_search endpoint, a lack of rate limiting enabling full index enumeration, and a misconfigured Cross-Origin Resource Sharing (CORS) policy allowing unrestricted browser-based access.
According to the forum post, the compromised platform uses Elasticsearch as its backend indexing system, and the extracted dataset was allegedly obtained in May 2026. The actor states that the database was exported in JSON-line format, with each line representing an individual user document. Sample records shared in the post appear to contain detailed user profile information, account metadata, social login identifiers, activity statistics, and location-related information, increasing the credibility of the alleged breach.
Based on the threat actor’s description and the exposed sample data, the compromised dataset reportedly includes:
The threat actor claims that the exposed database contains over 161,000 user documents, potentially affecting a substantial portion of the application’s user base. The inclusion of IP addresses, device identifiers, social media-linked login credentials, and user behavioral metadata significantly increases the risk of targeted phishing attacks, account takeovers, identity profiling, and social engineering campaigns against affected individuals.
Particularly concerning is the exposure of social authentication identifiers tied to Facebook and Apple accounts, which could enable attackers to correlate leaked information with external platforms and build detailed user profiles. Additionally, the presence of geographic, timezone, and activity-related metadata may allow adversaries to map user behavior patterns and online presence.
This incident indicates a potentially severe data exposure event involving personally identifiable information (PII), social account linkage data, and user activity intelligence. If validated, the breach could expose affected users to identity theft, credential abuse, targeted scams, privacy violations, and reputational risks. Furthermore, the incident highlights ongoing security challenges related to misconfigured cloud-hosted databases, inadequate access controls, and insecure API exposure practices within mobile application ecosystems.
The authenticity of this Access sale remains unverified at the time of reporting, as the claim originates solely from the threat actor.
Source: Underground Forums
Tokopedia Data Advertised on a Leak Site
Summary: The CYFIRMA research team identified a post on a dark web forum by a threat actor using the alias “XSVSHACKER,” advertising an allegedly compromised database associated with Tokopedia, one of Indonesia’s largest e-commerce and online marketplace platforms. In the forum post, the actor claims to possess and leak approximately 40,000 customer records containing sensitive personally identifiable information (PII), transaction details, shipping information, and order-related data. The post suggests that the exposed dataset contains structured customer purchase records and transactional metadata, indicating a potentially serious compromise affecting Tokopedia users and e-commerce operations.
According to the threat actor, the leaked dataset contains detailed order and customer information exported in a structured format resembling CSV or database table records. The sample entries shared in the forum include multiple customer purchase transactions with extensive personal, financial, and logistical information. The exposed records appear to contain customer identities, contact details, payment methods, shipping addresses, ordered products, pricing information, and transaction statuses, reinforcing the credibility of the alleged breach.
Based on the threat actor’s description and the sample data visible in the post, the compromised dataset reportedly includes:
The leaked sample records suggest that the dataset may expose detailed consumer purchasing behavior and financial transaction metadata. Particularly concerning is the inclusion of payment method information combined with personally identifiable information and shipping addresses, which could significantly increase the risk of targeted phishing attacks, financial fraud, account takeover attempts, identity theft, and social engineering campaigns against affected customers.
Additionally, the exposure of order histories and transaction statuses may allow threat actors to profile consumer behavior, identify high-value customers, and conduct highly personalized fraud schemes. The dataset also appears to contain extensive geographic distribution information, potentially enabling large-scale regional targeting of Indonesian users through SMS phishing (smishing), fake delivery scams, and fraudulent e-commerce communications impersonating Tokopedia or financial service providers.
This incident indicates a potentially severe compromise involving sensitive customer, financial, and transactional information within Indonesia’s e-commerce ecosystem. If validated, the leak could have substantial implications for customer privacy, payment security, and regulatory compliance under Indonesian data protection frameworks. The scale and granularity of the allegedly exposed records may also impact consumer trust in online commerce platforms and digital payment systems throughout the region.
The authenticity of this Access sale remains unverified at the time of reporting, as the claim originates solely from the threat actor.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor “XSVSHACKER,” is assessed as an active and capable entity primarily engaged in data-leak operations, with multiple credible indications linking them to incidents involving unauthorized system access and the dissemination or sale of stolen data on dark web forums. These activities underscore the growing sophistication of cyber threats driven by organized underground networks and highlight the urgent need for organizations to enhance their cybersecurity posture through continuous monitoring, improved threat intelligence, and proactive defensive measures to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum by a threat actor using the alias “Xorcat,” advertising the public release of an allegedly compromised dataset associated with Fairline International, a United Kingdom- based luxury yacht manufacturing company. In the forum post, the actor claims to have extracted and leaked approximately 67GB of sensitive corporate and client data spanning Fairline’s global digital infrastructure. The actor alleges that the leak occurred after the company refused ransom negotiations, stating “No deal. No payment. No response,” suggesting the incident may be linked to a financially motivated extortion campaign targeting the organization.
According to the threat actor, the compromise allegedly resulted from multiple exposed and misconfigured systems within Fairline International’s infrastructure. The actor claims to have exploited a misconfigured Salesforce Commerce Cloud instance with exposed public API endpoints, default administrative credentials on a Magento 2 e-commerce platform, an exposed Google Cloud SQL backup bucket without authentication, and publicly accessible credentials and configuration files stored in a webroot directory. Additionally, the post alleges unauthorized access to internal Confluence wiki pages via an exposed XML-RPC endpoint, indicating broad visibility into internal operational and corporate systems.
The threat actor states that the extracted archive contains approximately 64,147 files compressed into a 67GB dataset collected between April and May 2026. The leaked material allegedly spans customer data, dealer agreements, financial documentation, engineering records, HR information, logistics records, and internal communications. Sample information shared in the post suggests a high level of access to Fairline International’s internal corporate ecosystem and operational infrastructure.
Based on the threat actor’s description, the compromised dataset reportedly includes:
The alleged exposure of passport scans, financial records, engineering blueprints, and executive communications significantly elevates the potential impact of this incident. The combination of sensitive customer identity information, financial intelligence, and proprietary yacht engineering documentation could enable identity theft, business espionage, targeted extortion, fraudulent yacht transactions, and sophisticated spear-phishing campaigns against high-net-worth individuals and corporate partners.
Particularly concerning is the alleged compromise of cloud infrastructure credentials, internal source code, and operational documentation, which may facilitate persistent access, secondary compromises, or supply chain attacks targeting Fairline’s partners, dealers, and logistics providers. The exposure of luxury yacht ownership and marina logistics information may also introduce physical security risks for affected customers and executives.
The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
