Category: Threat Research

RST TI Report Digest: 31 Mar 2025
This week’s threat intelligence report reveals an analysis of multiple cyber threat reports. Key highlights include espionage tactics from APT groups, sophisticated malware deployments, and various Indicators of Compromise (IoCs) detected across platforms. The ongoing evolution of cyber threats emphasizes adaptive techniques utilized by attackers to infiltrate critical sectors.…
Read More
Exposed Jupyter Notebooks Targeted to Deliver Cryptominer
Cado Security Labs uncovered a new cryptomining campaign that exploits misconfigured Jupyter Notebooks across Windows and Linux systems. This campaign employs a series of executables, scripts, and binary downloads to install cryptominers targeting various cryptocurrencies. Affected: Jupyter Notebooks, Windows systems, Linux systems, cloud environments

Keypoints :

A cryptomining campaign utilizes Jupyter Notebooks, targeting Windows and Linux.…
Read More
SVC New Stealer on the Horizon
SvcStealer 2025 is a sophisticated information-stealing malware delivered through spear phishing emails. It captures sensitive data from victims, including credentials and cryptocurrency wallet information, and sends it to a command and control (C2) server. With a focus on evading detection, it deletes traces of its activities and can potentially download additional malware.…
Read More
SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
A recent investigation by AhnLab Security Intelligence Center (ASEC) has uncovered a phishing malware distributed in Scalable Vector Graphics (SVG) format. This malware embeds malicious scripts encoded in Base64, effectively using SVG’s capabilities to evade detection. It exploits users by redirecting them to counterfeit CAPTCHA pages which are designed to hinder analysis and capture sensitive information.…
Read More
The Ransom Group D0glun: Hidden Threat or Just for Fun?
The D0glun ransomware, first identified on January 16, 2025, showcases a unique method of operation, targeting victims by displaying their private information and requiring a key and ID for file decryption. The attack seems motivated by low confidence, potentially signaling an inept beginner. Affected: ransomware, cybersecurity

Keypoints :

D0glun ransomware was first submitted on January 16, 2025.…
Read More
Samsung Tickets Data Leak: Infostealers Strike Again in Massive Free Dump
This article discusses a massive data breach impacting Samsung Germany, where a hacker known as “GHNA” leaked approximately 270,000 customer tickets due to credentials stolen by infostealer malware back in 2021. The breach highlights the dangers of unmonitored and unrotated credentials, leading to potential exploitation and privacy violations for thousands of customers.…
Read More
Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging
APT28 has been observed conducting cyber espionage activities focusing on Central Asia and Kazakhstan. This analysis explores a heavily obfuscated malware sample, assessing its capabilities, particularly its use of VBScript and interaction with a command-and-control server. Affected: APT28, Central Asia, Kazakhstan

Keypoints :

APT28 is engaged in cyber espionage targeting Central Asia and Kazakhstan.…
Read More
Major Cyber Attacks Targeting Transportation & Logistics Industry
The transportation and logistics industry is increasingly targeted by cybercriminals as they exploit vulnerabilities to disrupt operations and steal sensitive data. Major incidents include ransomware attacks affecting ports and airports, along with data breaches that raise severe concerns about data security within the sector. Affected: transportation and logistics industry, public infrastructure, cybersecurity sector

Keypoints :

Transportation and logistics sector is a major target for cybercriminals due to valuable data.…
Read More
CISA has reported on three malicious files acquired from an Ivanti Connect Secure device compromised through CVE-2025-0282. The files exhibit functionalities similar to known malware, including command and control capabilities and log tampering. RESURGE, the primary file, can modify files and create a web shell. Another file, a variant of SPAWNSLOTH, tampered with logs, while the third one included a shell script that extracts kernel images.…
Read More
Apache Tomcat: CVE-2025-24813
CVE-2025-24813 is a critical vulnerability in Apache Tomcat that can allow remote, unauthenticated attackers to execute arbitrary code or access sensitive files. Organizations using vulnerable versions need to apply patches to protect their systems. Affected: Apache Tomcat

Keypoints :

Critical path equivalence vulnerability in Apache Tomcat, identified as CVE-2025-24813.…
Read More
The Lotus Blossom, also known as Lotus Panda, is a sophisticated Chinese APT group involved in cyber espionage for over a decade. They have recently enhanced their tactics by deploying new Sagerunex backdoor variants that utilize third-party cloud services and social media for command-and-control activities. This article examines their tactics, techniques, and procedures, detailing their operational framework along with the challenges we face against such persistent threats.…
Read More
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
Trend Research reveals the exploits of Water Gamayun, a suspected Russian threat actor leveraging a zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console to deploy malware. Their methods include custom payloads, data exfiltration techniques, and the use of backdoor malware. This campaign poses severe risks to organizations, including data theft and operational disruption.…
Read More
How an Exposed Jenkins Instance Led to a Full-Scale Infrastructure Compromise
This article discusses the risks associated with misconfigured Jenkins instances in CI/CD pipelines, highlighting a specific case where an exposed Jenkins service led to unauthorized access and severe security vulnerabilities. The findings from CloudSEK’s BeVigil underscore the potential consequences of such misconfigurations, including remote code execution, credential theft, and regulatory risks.…
Read More
I Am Not A Robot
Recent social engineering tactics have evolved to include a variant of the SectopRAT malware, which is disguised as a Cloudflare verification challenge. This Remote Access Trojan employs extensive techniques for data exfiltration and uses various evasion methods to avoid detection. Affected: Users, Browsers, Cryptocurrency Holders

Keypoints :

ClickFix-style social engineering techniques are becoming more prevalent among threat groups.…
Read More
StreamElements Confirms Third-Party Data Breach from an Infostealer Infection
StreamElements has reported a serious data breach affecting over 100,000 individuals due to a third-party service provider’s compromise. Sensitive data, including names, addresses, and emails, was accessed via a Redline Infostealer infection that targeted an employee’s credentials, leading to unauthorized access to their merchandise operations. Affected: StreamElements, Gooten.com,…
Read More